17.08.2010

Third party representatives acting with consent

Nominees

70.87 In DP 72, the ALRC asked two questions about nominees: whether the Privacy Act should be amended expressly to allow a third party nominated by an individual to make a decision under the Privacy Act, either for one-off or long term arrangements; and whether nominees should be recognised as ‘authorised representatives’.[126]

Submissions and consultations

70.88 Most stakeholders that addressed the matter supported the recognition of nominees in the Privacy Act.[127] The Office of the Victorian Privacy Commissioner noted that this approach is consistent with privacy laws by ‘allowing an individual the maximum amount of autonomy in decisions concerning their own personal information, to the extent that is reasonable and practicable’.[128] The nominee arrangement also was seen as giving recognition to the fact that capacity is not a fixed concept and can change over time.[129]

70.89 Some of the support for a nominee arrangement was qualified. Stakeholders highlighted particular concerns about how such an arrangement would operate in practice, including:

  • the need for clear guidance on when the arrangement can be used;[130]

  • the need for safeguards to be put in place to ensure that the individual has capacity at the time the nomination is made;[131]

  • the requirement of a close and continuing relationship between the individual and the nominated person—ie, the nominee should fall within a definition of ‘person responsible’;[132]

  • the need for a process to ensure that the nomination is up-to-date and reviewed at times when the individual has capacity;[133]

  • subjecting the nomination process, particularly in health care contexts, to guidelines and rules that would promote the inclusion of time limits concerning the duration of the nomination;[134]

  • the development of appropriate safeguards for agencies and organisations that rely on decisions by, and directions of, nominees—including an entitlement to assume that the appointment is valid and enduring unless otherwise notified;[135]

  • the need to ensure that individuals are informed of any changes made by the nominee;[136]

  • the identification of avenues for review of, or challenge to, a nomination;[137] and

  • a recognition of existing protections provided for in state and territory guardianship legislation that should apply in the event of the abuse of the position by the nominee.[138]

70.90 Carers Australia noted that the nominee arrangement should not create practical difficulties for carers who must organise arrangements across all relevant agencies and organisations.

A likely scenario might involve negotiating such ‘semi-formal’ arrangements with Centrelink, phone company, gas company, electricity company, housing department/real estate agent, various disability or aged care providers, private health fund etc. Making these arrangements should not add another layer of administrative burden for carers. For carers who may be struggling to deal emotionally and practically with the impairment or disability of a loved one, this is yet another responsibility they are expected to undertake with little assistance or guidance. For this reason, simplicity and consistency in the establishment of such arrangements would be essential.[139]

70.91 While Medicare Australia supported the existence and operation of a nominee arrangement, it did not consider it necessary to give it a legislative basis in the Privacy Act.[140] Carers Australia did not support a legislative provision that duplicates the existing process of appointing an enduring power of attorney.[141] Similar concerns were expressed by the business sector.

It is open to people to make a formal nomination by way of an enduring power of attorney. Informal nominations should be approached with extreme caution and on their own should not be sufficient. There must be a close and continuing relationship between the incapacitated person and the nominated person, so that even without the nomination the nominated person could be considered a responsible person.[142]

70.92 A number of stakeholders queried whether a nomination should be made in writing. They suggested that verbal nominations and revocation of nominations also should be recognised.[143]

70.93 In contrast, GE Money noted:

There are very real issues for organisations in determining whether it is appropriate to disclose information to anyone other than the individual concerned. There are significant issues involved in correctly identifying a third party, even if the organisation is clear that a third party is authorised by the individual to receive information. While the NPPs may currently support verbal consent it should be recognised that an organisation faces very real issues in this regard. If there is no record of the individual having provided their consent to a disclosure to a third party the organisation is unable to establish the basis on which they have acted if the decision to disclose information is later challenged.[144]

70.94 Other stakeholders pointed out, however, that there are a number of options for verbal consent available to consumers and service providers. These include the practice of accepting a verbal consent provided that written consent is to be given later, and recording a verbal consent, allowing for a quicker resolution to the problem while still ensuring that the consent is properly recorded for record-keeping purposes.[145]

70.95 The OPC acknowledged that the nomination and verification requirements to be applied will vary, according to the circumstances.

Some circumstances require a more rigorous process for nomination and verification than others due to the potential consequences of the disclosure of personal information. In general, the [OPC] considers that it is good practice to obtain consent in writing. There may be circumstances, however, where it is appropriate for an agency or organisation to accept verbal consent provided that robust identification and security procedures have been followed.[146]

ALRC’s view

70.96 Nominee arrangements provide flexibility for individuals to decide who can act as their ‘agent’ for the purposes of the Privacy Act, and also operate as a useful mechanism in situations where an individual has limited, intermittent or declining capacity.

70.97 The ALRC notes that a number of agencies and organisations already use nominee arrangements for the benefit of their customers. For example, the Centrelink nominee arrangements, despite being subject to some criticism, are generally well received and widely utilised. The Office of the Public Advocate Queensland indicated that, without this arrangement, many people with an impaired capacity would not have received benefits to which they were entitled.[147]

70.98 The ALRC acknowledges that there are arguments against including a nominee arrangement in the Privacy Act. On balance, however, the ALRC sees advantages in setting out nominee arrangements in the Privacy Act. The rationale may be summarised as follows:

  • The nomination should have an enduring quality—that is, the nomination should continue to be valid if the individual loses capacity. The ALRC is concerned that without any legislative provision to the contrary, the consent of the individual to the nomination may be considered to have been withdrawn at the time the individual loses capacity.

  • The relationship should be given a legislative basis with some minimum requirements about how it will operate in practice. The third party nominee has ongoing powers to make decisions on behalf of an individual, and this situation could be subject to abuse.

  • Although the ALRC is not recommending that nominee arrangements be a mandatory requirement, a legislative basis for the nominee arrangement will help to raise the profile of the existence of such arrangements.

70.99 The Privacy Act provisions establishing nominee arrangements should not be overly prescriptive. They must retain flexibility for agencies and organisations to develop practices and procedures that are consistent with their broader operations. Agencies and organisations also may be subject to other obligations, such as the bankers’ duty of confidentiality or particular legislative provisions, which place limits on third party decision making. Each agency and organisation must consider the extent to which it is able to recognise and act upon decisions made by a nominee.

70.100 Some circumstances require a more rigorous process for nomination and verification than others, due to the potential consequences of the disclosure of personal information or the transaction involved. For example, a financial institution may establish a nominee arrangement that has effect for the purposes of the Privacy Act, but does not extend to a nominee withdrawing funds from an account on behalf of the individual. On the other hand, a body such as Optus, which already has a nominee arrangement in place, can harmonise nominee arrangements for the purposes of the Privacy Act with arrangements that allow the nominee to make changes to the contracted service on behalf of the individual.

70.101 The ALRC recommends that the following elements of a nominee arrangement be set out in the Privacy Act:

  • A nomination should be able to be made by the individual, or by a third party authorised by another federal, state or territory law as the substitute decision maker for the individual. The substitute decision maker may nominate himself or herself or an alternative third party as the nominee. While it is not necessary that an authorised substitute decision maker be registered as a nominee for the agency or organisation to recognise that person, the nominee arrangement is a convenient way for the substitute decision maker to be recognised for ongoing dealings with the agency or organisation. A similar approach is taken under the Centrelink nominee arrangements.

  • The nominee may be any individual or an entity. The person making the nomination should not be limited to a list of suitable persons by category. Provision for nominating an entity would overcome concerns raised in this Inquiry about recognising the staff of care and accommodation services, including nursing homes, who regularly act on behalf of, or assist, individuals with routine daily tasks. If an entity were nominated, an authorised staff member of that entity would be able to act as the individual’s nominee, overcoming problems regarding staff turnover that are associated with nominating individuals.

  • The nominee should have an obligation to act in the best interests of the individual on whose behalf the nominee acts. This would establish a basic level of responsibility for the nominee, and a basis upon which an individual could seek redress through the courts in cases where serious harm has been done to the individual by the nominee. It is common for persons appointed as a substitute decision maker to be subject to some kind of obligation, such as the requirement to act honestly and with reasonable diligence,[148] to protect the interests of the donor of the power,[149] or to act in the best interests of the represented person.[150] Under the Centrelink arrangements, a nominee has a duty to ‘act in the best interests of the principal’ at all times.[151]

  • The nomination should be able to be revoked by the individual, an authorised substitute decision maker, the nominee or the agency or organisation.

70.102 There are a number of other matters that should be considered by an agency or organisation in developing a nominee arrangement. While these elements do not need to be specified in legislation, it may be appropriate for the OPC to provide guidance on these issues as part of its guidance on developing and administering nominee arrangements.[152] Such issues may include:

  • provision for verbal, or the requirement of written, authorisation of nominees, and revocation of nominations;

  • time limitations, if any, to be placed on nominations;

  • dealing with conflicting instructions from an individual and his or her nominee;

  • whether to allow for multiple nominees, and how to deal with a conflict of instructions from multiple nominees;

  • circumstances in which an agency or organisation should revoke a nomination;

  • notifying all parties involved when a nomination is revoked; and

  • cost effective procedures that can be built into the nominee arrangement to reduce the risk of abuse, and identify and deal with situations of abuse.

Recommendation 70-1 The Privacy Act should be amended to include the concept of a ‘nominee’ and provide that an agency or organisation may establish nominee arrangements. The agency or organisation should then deal with an individual’s nominee as if the nominee were the individual.

Recommendation 70-2 The Privacy Act shouldbe amended to provide for nominee arrangements, which should include, at a minimum, the following elements:

(a) a nomination can be made by an individual or a substitute decision maker authorised by a federal, state or territory law;

(b) the nominee can be an individual or an entity;

(c) the nominee has a duty to act at all times in the best interests of the individual; and

(d) the nomination can be revoked by the individual, the nominee or the agency or organisation.

Other third parties providing assistance

70.103 While nominee arrangements are suitable for establishing long-term recognition of nominated substitute decision makers, there are many other situations where an individual may wish a third party to be involved in assisting with decision making under the Privacy Act. The third parties involved may be carers, spouses, parents, adult children, interpreters, counsellors, legal representatives or any other person chosen by the individual.

70.104 As outlined above, there is nothing in the Privacy Act that prevents a third party from providing assistance to the individual where this is done with the consent of the individual. Where the assistance requires the third party to have access to the personal information of the individual, the individual can provide consent for the agency or organisation to disclose the information to the third party. Concerns were expressed, however, that such consensual arrangements are not implemented consistently or recognised by agencies and organisations.

70.105 In DP 72, the ALRC proposed that the OPC develop and publish guidance on practices and procedures allowing for the involvement of third parties to assist an individual to make and communicate privacy decisions.[153] Guidance provides agencies and organisations with the confidence to introduce appropriate arrangements that are consistent with the Privacy Act. A number of stakeholders supported the proposal.[154]

70.106 A particular issue was raised by the National Relay Service (NRS). The NRS uses trained officers to relay calls between people who are deaf, hearing-impaired or speech-impaired, and members of the wider community. The NRS acts as a central link in the call by relaying what is said by both parties. Services are provided via phone, computer, mobile phone or teletypewriter (TTY). The NRS indicated that there often are problems with the recognition and authorisation of NRS officers facilitating communication between an individual and service providers, particularly financial institutions dealing with credit matters.[155] It suggested a number of ways the Privacy Act could be amended to ensure that NRS operators can provide the necessary services without express or written authorisation from the individual, including a specific exception for use and disclosure of information to the NRS for the purposes of carrying out its functions.[156]

70.107 While there is no need to amend the Privacy Act to deal specifically with the problems raised by the NRS, OPC guidance on third party representatives should make reference to NRS services and the consensual basis on which they operate.

Married persons

70.108 The Festival of Light Australia suggested that the Privacy Act be amended to provide a presumption that a spouse may give consent, make a request or exercise a right of access on behalf of the other spouse. The Festival of Light indicated the need for the amendment because ‘married couples have, by the act of marrying one another, entered into a unique social and legal relationship’. It suggested that the presumption should operate in the absence of a specific instruction from a married person to the contrary.[157] This suggestion was echoed in a number of comments and submissions received from individuals during this Inquiry.[158]

70.109 Applying a presumption that a spouse is acting with the consent of his or her partner is contrary to the individual rights approach of the Privacy Act and would introduce an unacceptable risk of interference with an individual’s privacy. The ALRC acknowledges the frustrations encountered by many married persons trying to operate within the boundaries of the Privacy Act, such as when trying to sort out a utility or credit card bill formally in the other partner’s name. The ALRC’s recommendations in relation to recognising nominee arrangements in the Privacy Act, together with clear guidance on how such arrangements can operate, should help to facilitate easier interactions between agencies and organisations and their married or partnered customers and clients.

[126] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Questions 61–2, 62–1.

[127] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Government of South Australia, Submission PR 565, 29 January 2008; Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Confidential, Submission PR 519, 21 December 2007; Australian Mercantile Agents Association, Submission PR 508, 21 December 2007; Australian Investigators Association, Submission PR 507, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Office of the Public Advocate Queensland, Submission PR 435, 10 December 2007; P Youngman, Submission PR 394, 7 December 2007; Festival of Light Australia, Submission PR 354, 1 December 2007.

[128] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[129] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[130] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[131] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[132] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007. The term ‘person responsible’ features in guardianship and administration legislation in a number of jurisdictions: see, eg, Guardianship Act 1987 (NSW) s 33A with ‘person responsible’ defined in s 3D.

[133] Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[134] Medicare Australia, Submission PR 534, 21 December 2007.

[135] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Law Council of Australia, Submission PR 527, 21 December 2007.

[136] Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[137] Australian Guardianship and Administration Committee, Submission PR 560, 17 January 2008.

[138] ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007.

[139] Carers Australia, Submission PR 423, 7 December 2007.

[140] Medicare Australia, Submission PR 534, 21 December 2007.

[141] Carers Australia, Submission PR 423, 7 December 2007.

[142] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[143] Medicare Australia, Submission PR 534, 21 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; National Relay Service, Submission PR 484, 18 December 2007.

[144] GE Money Australia, Submission PR 537, 21 December 2007. See also Law Council of Australia, Submission PR 527, 21 December 2007 which supported that nomination of third parties be subject to a written requirement.

[145] Australian Collectors Association, Submission PR 505, 20 December 2007. This submission was supported by Australian Mercantile Agents Association, Submission PR 508, 21 December 2007; Australian Investigators Association, Submission PR 507, 21 December 2007.

[146] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[147] Office of the Public Advocate Queensland, Submission PR 195, 12 February 2007.

[148] Guardianship and Administration Act 2000 (Qld) s 35; Powers of Attorney Act 1998 (Qld) s 66; Powers of Attorney and Agency Act 1984 (SA) s 7.

[149] Powers of Attorney Act 2000 (Tas) s 32.

[150] Guardianship and Administration Act 1986 (Vic) s 28; Guardianship and Administration Act 1995 (Tas) s 27.

[151] Social Security (Administration) Act 1999 (Cth) s 123O.

[152] Rec 70–3.

[153] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 62–1.

[154] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; Australian Mercantile Agents Association, Submission PR 508, 21 December 2007; Australian Investigators Association, Submission PR 507, 21 December 2007; Australian Collectors Association, Submission PR 505, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Festival of Light Australia, Submission PR 354, 1 December 2007.

[155] Written authorisation from the individual is required before third parties may exercise rights of access to credit reporting information relating to the individual: Privacy Act 1988 (Cth) s 18H(3). This is sometimes interpreted to apply to any disclosure to a third party. This requirement is discussed in Ch 59.

[156] National Relay Service, Submission PR 484, 18 December 2007. Although note that Optus considers that the disclosure is sufficiently authorised by the Telecommunications Act 1997 (Cth), and that there is no need to amend the Privacy Act 1988 (Cth): Optus, Submission PR 532, 21 December 2007.

[157] Festival of Light Australia, Submission PR 354, 1 December 2007.

[158] See, eg, R Minahan, Submission PR 482, 13 December 2007; B Such, Submission PR 71, 2 January 2007; ALRC National Privacy Phone-in, June 2006, Comments #1203, #778, #195. But there was also support for individual privacy within a marriage: ALRC National Privacy Phone-in, June 2006, Comment #840.