Discussion Paper proposals

A new part in the Privacy Act

8.34 In DP 72, the ALRC expressed the preliminary view that simply amending the definition of ‘personal information’ to include the personal information of deceased individuals would be problematic. In particular, many of the privacy principles could not apply at all, or could apply only in part, to such information. It appeared more appropriate and workable to indicate the extent to which the privacy principles would apply.

8.35 The ALRC proposed that the Privacy Act should be amended to include a new part dealing with the personal information of deceased individuals who had been dead for 30 years or less.[54] The proposed new part was to include provisions on use and disclosure, access, data quality, data security, genetic information and complaints. Each of these proposed provisions is discussed in more detail below. The part was only to apply to organisations. The ALRC proposed that the personal information of deceased individuals held by agencies should continue to be regulated by the FOI Act and the Archives Act.

Submissions and consultations

8.36 In response to the ALRC’s proposal, a number stakeholders expressed the view that the Privacy Act should not be extended to cover the personal information of deceased individuals.[55] The Law Council of Australia stated that:

The common law operates such that actions in personam, including, for example, defamation, should not extend to the deceased. This is because a person’s relevant interests do not continue after they have died. Similar to defamation law, the laws relating to privacy are designed to prevent hurt, humiliation and other such injuries to feelings, rather than to protect a property right. Necessarily, and unlike a property right, the ability to experience the feelings with which privacy law is concerned passes with death. Privacy rights, and the remedies they provide, cannot therefore assist deceased people, and should not apply after death.[56]

8.37 The Australian Direct Marketing Association noted that it is often difficult for organisations to know whether an individual is deceased.[57] Axciom Australia suggested that introducing a right of access to the personal information of deceased individuals would give rise to confusion, given the current privacy regime is based around access by an individual to his or her own information.[58] The Australian Government Department of Agriculture, Fisheries and Forestry noted that the provisions may give rise to particular issues for Indigenous people, given cultural concerns associated with information about deceased individuals.[59]

8.38 The Public Interest Advocacy Centre (PIAC) was concerned that the proposed provisions would ‘place unjustified constraints on legitimate social and historical research, which is often in the public interest’.[60] The School of Public Health at the University of Sydney argued that the proposed provisions should not inhibit the use of the personal information of deceased individuals for research purposes, with appropriate safeguards.[61] In the OPC’s view, the provisions should be limited to the health information of deceased individuals.[62]

8.39 On the other hand, a number of stakeholders expressed support for the ALRC’s proposals.[63] The NHMRC noted, however, that guidance from the Privacy Commissioner may be required in some areas.[64]

8.40 The Office of the Victorian Privacy Commissioner (OVPC) suggested that the protection of personal information is comparable to duties of confidentiality. Unlike a right to sue for defamation, duties of confidentiality can persist after death. The OVPC stated that, without such protection, individuals may be less inclined to share information, particularly sensitive information, through concern that it might be used or disclosed inappropriately when they die.[65]

8.41 The Law Society of New South Wales supported the proposals, but suggested that the provisions should require those wishing to use or disclose such information to take reasonable steps to determine the wishes of the deceased individual, as evidenced in a will or other document.[66]

8.42 In supporting the proposal, the Australian Bankers Association (ABA) stated that, as far as possible, banks handle the personal information of deceased individuals in much the same way as they handle the personal information of living individuals. In the ABA’s view, the personal information of both should be regulated in the same way.[67] The ABA and the National Australia Bank stressed that the proposed provisions should not impose a requirement to retain records for a period of 30 years. They noted that, generally, organisations are only required to retain records for seven years.[68]

ALRC’s view

8.43 The ALRC has considered stakeholder views on extending the Privacy Act to cover the personal information of deceased individuals. Those views were varied and fairly evenly distributed between those who supported the ALRC’s proposals and those who did not. On balance, in the ALRC’s view, the Privacy Act should be amended to include provisions on the handling of personal information of deceased individuals where that information is held by organisations. This would have a number of benefits. It would introduce a level of consistency in the way this information is handled across the private sector. Currently, personal information held by organisations may be subject to state or territory legislative requirements, a duty of confidentiality or simply dealt with as a matter of organisational policy. It would also allow the Privacy Commissioner to become involved where there is a dispute about the handling of such information.

8.44 The ALRC notes the view that the right to privacy attaches to the individual and should not survive the death of the individual, but is of the view that there are legitimate public policy reasons for extending some protection to the personal information of deceased individuals. These include: the fact that individuals may hesitate to share personal information while they are alive if they believe that the information may be handled inappropriately after they die; the need for living individuals to access the personal information of deceased individuals in some circumstances; and the distress caused to living individuals where the personal information of deceased individuals is handled inappropriately. The ALRC notes that these issues are not confined to the handling of the health information of deceased individuals and so has not confined its recommendations to health information, as suggested by the OPC.

8.45 The ALRC has considered the concern that it can be difficult to know whether an individual is deceased. NPP 3 currently requires organisations to take reasonable steps to ensure that personal information they collect, use or disclose is accurate, complete and up-to-date.[69] In many situations, the inquiries necessary to meet this requirement will indicate whether the individual is living or deceased. Other situations, for example, requests for access to the personal information of deceased individuals made by third parties, will provide the opportunity for organisations to confirm whether an individual is living or deceased. It may be, for example, that the third party is asked to provide evidence that the individual is deceased before the organisation releases any information.

8.46 In the ALRC’s view, it is not practicable simply to extend the definition of ‘personal information’ in the Privacy Act to include the personal information of deceased individuals. It is clear that not all of the current privacy principles, or indeed all of the model UPPs, can be applied sensibly, or applied in full, to the personal information of deceased individuals. The ‘Notification’ principle, for example, would have no application. Instead, the Privacy Act should be amended to include specific provisions for the use and disclosure, data quality and data security of the personal information of deceased individuals, and to provide a right of access to such information.

8.47 The Privacy Act alsoshould be amended to include a new part dealing with information about individuals who have been dead for 30 years or less. This does not mean that organisations will be required to keep information for 30 years if not otherwise required to do so. Organisations will be required to handle information in accordance with the recommended provisions for a period of 30 years following the death of the individual. It may be that information can be destroyed before the expiry of the 30 year period in accordance with the data security provision, discussed below.

Agencies

8.48 In DP 72, the ALRC proposed that the personal information of deceased individuals held by agencies should continue to be regulated by the FOI Act and the Archives Act.[70]

Submissions and consultations

8.49 A number of stakeholders expressed support for this proposal.[71] The Government of South Australia supported the proposed provisions on the basis that ‘they leave responsibility for access to State and Territory public sector information to the relevant State and Territory laws’.[72]

8.50 Other stakeholders noted, however, that this would introduce a level of inconsistency into the proposed regime and were of the view that the new provisions of the Privacy Act relating to deceased individuals should apply to both agencies and organisations.[73] Privacy NSW was also of the view that agencies should be covered, to the extent that the provisions were not inconsistent with the FOI Act. It argued that elements of the proposed regime, such as the data quality and data security provisions—which do not have equivalents in the FOI Act—should apply to the personal information of deceased individuals held by agencies.[74]

ALRC’s view

8.51 While acknowledging stakeholder concerns about inconsistency between agencies and organisations, the ALRC has come to the view that the existing regime for dealing with the personal information of deceased individuals held by agencies under the FOI Act and the Archives Act should remain in place. The archiving and destruction of personal information of deceased individuals held by agencies should continue to be regulated by the Archives Act. At the state and territory level, access to personal information of deceased individuals held by public sector agencies should continue to be regulated by state and territory legislation.

8.52 In Chapter 29, the ALRC recommends that the ‘Access and Correction’ principle apply to both agencies and organisations.[75] The principle, reflecting the overall focus of privacy legislation, is limited to access and correction of an individual’s own personal information. In the ALRC’s view, it is appropriate that access and correction of one’s own information be dealt with primarily under the Privacy Act.

8.53 The situation is not as clear cut in relation to the personal information of deceased individuals. Access to the personal information of a deceased individual involves access to the personal information of a third party. This is not the primary focus of the Privacy Act. The handling of information held by agencies about third parties—whether living or deceased—is currently governed by the FOI Act and the Archives Act. These Acts provide a framework within which such information may be disclosed, archived or destroyed and provide individuals with a right of access to such information in appropriate circumstances. While it is possible to argue that the use and disclosure of, and access to, the personal information of deceased individuals held by agencies could be regulated under the Privacy Act, on balance, the ALRC recommends no change to these arrangements. In DP 72, the ALRC proposed that the personal information of deceased individuals held by agencies should continue to be regulated by the FOI Act and the Archives Act. This has not been included as a recommendation in this Report as no change to the existing arrangements is required.

8.54 Given the issues raised by stakeholders, however, the ALRC recommends a number of limited provisions, to be included in the Privacy Act, specifically regulating the personal information of deceased individuals held by organisations. Each of these provisions is discussed in detail below.

Use and disclosure

8.55 In DP 72, the ALRC proposed that organisations should be required to use or disclose the personal information of deceased individuals in accordance with the ‘Use and Disclosure’ principle in the UPPs. Where the principle required consent, the ALRC proposed that the organisation be required to consider whether the proposed use or disclosure would involve an unreasonable use or disclosure of personal information about any person, including the deceased person.[76] This test mirrors the requirement imposed on agencies under the FOI Act, in considering whether to provide access to information about third parties.[77]

Submissions and consultations

8.56 A number of organisations noted that, in the course of finalising and administering the estates of a deceased individual—including insurance and superannuation policies—it is necessary to contact third parties such as employers, relatives and friends and to disclose the personal information of the deceased individual to such parties. These organisations wished to ensure that the proposed regime would allow this to continue.[78]

8.57 The National Australia Bank stated that:

NAB appreciates the rationale for the extension of the privacy regime to deceased persons. From a practical implementation perspective, NAB’s preliminary view would be that it may be an ‘unreasonable use or disclosure’ of a deceased person’s information or would have ‘unreasonable impact’ on the privacy of a deceased individual, unless the information was disclosed to a person who was able to provide documented evidence of their entitlement to the information, for example, next of kin or a legal representative.[79]

8.58 PIAC suggested that, in relation to use and disclosure, the test should be whether it would involve an unreasonable use or disclosure of the personal information of any living individual. PIAC did not support asking organisations to decide whether a proposed use or disclosure involved an unreasonable use or disclosure of the personal information of deceased individuals. In PIAC’s view, privacy is an individual right and, once individuals are deceased, they cannot be harmed in any way by the use or disclosure of their personal information.[80]

8.59 The OPC was of the view that the ‘unreasonable use or disclosure’ test was problematic and would create uncertainty. In addition, the OPC argued that disclosure should only be available to those with a legitimate interest in the information. The OPC suggested that this be limited by reference to the definition of ‘responsible person’ in NPP 2.5, which includes parents, adult children, siblings and other relatives, spouses, and de facto spouses.[81]

ALRC’s view

8.60 The Privacy Act should be amended to provide that organisations must use or disclose the personal information of deceased individuals in accordance with the ‘Use and Disclosure’ principle. An organisation should be allowed to use or disclose such information, for example, where the information is being used or disclosed for the primary purpose of collection; or a secondary purpose that is related to (in the case of sensitive information, directly related to) the primary purpose of collection and the individual would reasonably expect the agency or organisation to use or disclose the information for that purpose. This would include, for example, using and disclosing the personal information of a deceased individual in the course of administering his or her life insurance policy or superannuation policy.

8.61 Under the ‘Use and Disclosure’ principle, it would also be possible to use or disclose the personal information of deceased individuals, for example, as part of an investigation into suspected unlawful activity;[82] where required or authorised by or under law;[83] or for research.[84]

8.62 Where a use or disclosure under the principle would require consent, however, the organisation should be required to consider whether the proposed use or disclosure would involve an unreasonable use or disclosure of personal information about any person, including the deceased person. The ALRC does not agree that this consideration should be limited to whether the proposed use or disclosure would involve an unreasonable use or disclosure of the personal information of living individuals. It would be important to consider, for example, whether the use or disclosure would be unreasonable given the cultural sensitivities or expressed wishes of the deceased individual.

8.63 An organisation should be permitted to use or disclose the information without consent, however, where it is reasonable to do so in all the circumstances. This is consistent with the test imposed on agencies under the FOI Act relating to the release of information in response to an access request. The test of what amounts to ‘unreasonable disclosure’ has been considered in the FOI context:

The application of the test involves a consideration of all the factors relevant in a particular case and a balancing of all legitimate interests (Wiseman v. Commonwealth, (D251) eg Re Chandra and Minister for Immigration and Ethnic Affairs (D33)).[85]

8.64 There are circumstances in which it would be reasonable for organisations to use or disclose the personal information of deceased individuals for a secondary purpose unrelated to the primary purpose of collection, for example, in response to a request from a family member undertaking family history research. In considering all the factors relevant to a particular case and balancing all legitimate interests, organisations will need to consider issues such as any existing duty of confidentiality to the deceased individual, the interests of other family members and any public interest in the use or disclosure. In some circumstances it may be important to contact family members or the deceased individual’s legal personal representative, or to consider the terms of the deceased individual’s will, in order to be able to make an informed decision about what is reasonable.

8.65 This same test should be applied to the use or disclosure of sensitive information.[86] In considering what is reasonable, the organisation would be required to consider the sensitivity of the information.

Access

8.66 In DP 72, the ALRC proposed that organisations should be required to consider providing third parties with access to the personal information of deceased individuals in accordance with the access elements of the ‘Access and Correction’ principle. The ALRC suggested that organisations should be required to consider in each case whether providing access to the information would have an unreasonable impact on the privacy of other individuals, including the deceased individual.[87] This test mirrors one of the current exemptions in NPP 6.1(c) on access and correction.

8.67 The ALRC also expressed the view that a third party should not have a right to seek to correct the personal information of a deceased individual under the Privacy Act. This is consistent with the position under the FOI Act. In relation to the personal information of deceased individuals, the data quality provision, recommended below, will operate to ensure that information is kept accurate, complete, up-to-date and relevant. In order to comply with the data quality provision, organisations would need to consider information provided by third parties relating to the personal information of a deceased individual.

Submissions and consultations

8.68 While the OPC supported a limited discretion to disclose the health information of deceased individuals, the OPC did not support creating a right of access to the personal information of deceased individuals. The OPC stated that:

‘Access’ is constructed under the Privacy Act to create a positive right for individuals to know what information is held about them by organisations and agencies. Organisations and agencies may only deny it where such denial is specifically permitted by prescribed exceptions. This can be contrasted, for example, with the ‘use and disclosure’ principle which creates discretions for parties to use or disclose the information. Accordingly, the provision of a deceased person’s information to a third party appears to sit more comfortably as an example of a ‘disclosure’, rather than the provision of ‘access’. Further, the Office submits that the mechanism should be discretionary and, therefore, fit neatly as an exception to the ‘disclosure’ principle.[88]

8.69 On the other hand, PIAC was of the view that there were circumstances in which third parties have legitimate grounds to seek access to the personal information of a deceased individual and that organisations should be required to consider providing such access.

For example, members of the Aboriginal ‘Stolen Generation’ need to be able to obtain information about deceased relatives in order to find their identity and re-establish family and community links.[89]

8.70 The Human Rights and Equal Opportunity Commission (HREOC) also expressed support for allowing a right of access to the personal information of deceased individuals in some circumstances.[90] HREOC highlighted the following passage from Bringing Them Home, the report of the National Inquiry into the separation of Aboriginal and Torres Strait Islander children from their families:

The need to protect one person’s privacy has to be weighed against the need to provide another with access to personal information. The refusal to release third party identifying information could deny an Indigenous searcher the opportunity for reunion with his or her family and/or community and access to entitlements for which proof of community connection or Aboriginality generally is required.[91]

8.71 A number of stakeholders expressed the view that it would be difficult to assess which third parties should have access to a deceased individual’s information.[92] The Financial Planning Association of Australia noted that:

Where there are complex family connections … it may be difficult to determine the relationship and, in some circumstances, it may be inappropriate to provide information. In such cases we would suggest that financial planners should not have an obligation to provide sensitive information to anyone other than the executor of the estate.[93]

8.72 The Insurance Council of Australia suggested that individuals requiring access to personal information of deceased individuals should be required to establish a reasonable connection with the deceased individual and a legitimate reason for requesting access to the information.[94] ANZ stated that the right of access to financial information should be limited to those with legal rights to administer the estate of the deceased individual.[95] The Avant Mutual Group Ltd expressed the view that the right of access to health information should be limited to those with legal rights to administer the estate of the deceased individual and immediate family members with a legitimate need for access to the information.[96]

ALRC’s view

8.73 The ALRC has carefully considered the OPC’s view that the Privacy Act should be amended to allow for discretionary disclosure of deceased individuals’ information, but should not include a right of access to such information. In the ALRC’s view, however, it is important to provide a right of access to the personal information of deceased individuals for a number of reasons. The first is that, in some circumstances, it is crucial for individuals to be able to access the personal information of deceased individuals, for example, to understand their genetic health risks or to trace their family history. In such cases, in the ALRC’s view, more than a discretion to disclose is required. There should be a right to access such information.[97]

8.74 Secondly, it is important to ensure that individuals seeking access to the personal information of deceased individuals have recourse to the conciliation and determination processes under the Privacy Act. It is unclear from the OPC’s submission on what basis an individual would complain to the Privacy Commissioner if an organisation exercised its discretion not to disclose information. Providing a right of access to information provides a clear basis for individuals seeking access to information to have recourse to Privacy Commissioner if access is denied.

8.75 Organisations should be required to provide third parties with access to the personal information of deceased individuals in accordance with the access elements of the ‘Access and Correction’ principle, except to the extent that providing access to the information would have an unreasonable impact on the privacy of other individuals, including the deceased individual. In considering the impact on the privacy of the deceased individual, an organisation might consider, for example, the sensitivity of the information and any expressed wishes of the individual. In deciding what is reasonable, organisations will be required to consider all the circumstances, including the relationship of the individual requesting access to the deceased individual.

8.76 All the other exceptions in the ‘Access and Correction’ principle would apply. For example, an organisation would not be required to provide access to the information if denying access was required or authorised by or under law. This would include situations in which information was protected by a duty of confidentiality, discussed above.

Data quality

8.77 In DP 72, the ALRC proposed that organisations should be required to ensure that the personal information of deceased individuals is, with reference to a use or disclosure permitted under the model UPPs, accurate, complete, up-to-date and relevant before they use or disclose the information.[98]

Submissions and consultations

8.78 One stakeholder suggested that organisations should be required to take ‘reasonable steps’ to ensure that the personal information of deceased individuals is accurate, complete, up-to-date and relevant before they use or disclose the information.[99] PIAC noted that it may be difficult to check data quality in relation to the personal information of deceased individuals without contacting living relatives or legal representatives, and that the information is likely to lose currency after the individual’s death.[100]

8.79 The OPC agreed:

The Office notes that the current NPP on data quality requires that an organisation take ‘reasonable steps’ to make sure that information it is about to use is accurate, complete and up-to-date. The Office suggests that consideration should be given to the inclusion of this term in [the ‘Data Quality’ provision].[101]

ALRC’s view

8.80 The ALRC agrees that organisations should be required to take ‘reasonable steps’ to ensure that the personal information of deceased individuals is accurate, complete, up-to-date and relevant before they use or disclose the information. This is consistent with the language of the ‘Data Quality’ principle. The ALRC recommends, therefore, that organisations should be required to comply with the use and disclosure elements of the ‘Data Quality’ principle in relation to the personal information of deceased individuals.[102]

Data security

8.81 In DP 72, the ALRC proposed that organisations should be required to take reasonable steps to: protect the personal information of deceased individuals from misuse and loss and from unauthorised access, modification or disclosure; and destroy or render personal information of deceased individuals non-identifiable if it is no longer needed for any purpose permitted under the model UPPs.[103]

Submissions and consultations

8.82 In response, PIAC and HREOC expressed concern about the requirement that the personal information of deceased individuals be destroyed in some circumstances, noting the potential adverse impact on social and medical research, and the ability of Indigenous individuals to identify their families and communities.[104] PIAC also discussed the importance of protecting personal information from destruction in the context of investigating claims that Indigenous individuals were denied access to wages, allowances and pensions held on trust by the Aborigines Welfare Board and the New South Wales Government (the ‘Stolen Wages Project’). PIAC noted that

the destruction of or inability to locate the records of private organisations that were involved in the custody and employment of Indigenous people has created and remains a significant barrier to some claimants.[105]

ALRC’s view

8.83 In Chapter 28, the ALRC discusses the ‘Data Security’ principle in detail, including the requirement to destroy or render non-identifiable personal information that is no longer needed for any purpose permitted by the UPPs. In that chapter, the ALRC discusses the retention of information where it may be needed for the purposes of litigation, dispute resolution and research. The ALRC recommends that the ‘Data Security’ principle, as proposed in DP 72, be amended to require that agencies and organisations take reasonable steps to destroy or render non-identifiable personal information that is no longer needed for any purpose for which it can be used or disclosed under the UPPs; and where retention is not required or authorised by or under law.[106] The ALRC also recommends that the OPC develop and publish guidance on these issues. This should include guidance on dealing with information that forms part of a historical record or may need to be preserved for the purpose of future dispute resolution.[107]

8.84 On the basis of these recommendations, in the ALRC’s view, organisations should be required to comply with the ‘Data Security’ principle in relation to the personal information of deceased individuals.

Contractors

8.85 In DP 72, the ALRC proposed that organisations be required to take reasonable steps to ensure that personal information of deceased individuals disclosed pursuant to contract, or otherwise in connection with the provision of a service, is protected from being used or disclosed otherwise than in accordance with the Privacy Act.[108] This requirement reflected one element of the ‘Data Security’ principle proposed in DP 72.[109]

ALRC’s view

8.86 In Chapter 28, the ALRC notes that this element of the ‘Data Security’ principle will not be necessary if the recommendations in this Report are implemented. The provision was intended to address the situation in which information handling is contracted out, in particular to small businesses not covered by the Privacy Act. Once the recommendations in this Report are implemented, however, there will be no need to cover this regulatory ‘gap’ as agencies and organisations, including organisations that are small businesses, will be covered by the model UPPs. On this basis, the ALRC is of the view that this element is not required in the data security provisions applicable to the personal information of deceased individuals.

Recommendation 8-1 The Privacy Act should be amended to include provisions dealing with the personal information of individuals who have been dead for 30 years or less where the information is held by an organisation. The Act should provide as follows:

(a) Use and Disclosure

Organisations should be required to comply with the ‘Use and Disclosure’ principle in relation to the personal information of deceased individuals. Where the principle would have required consent, the organisation should be required to consider whether the proposed use or disclosure would involve an unreasonable use or disclosure of personal information about any person, including the deceased person. The organisation must not use or disclose the information if the use or disclosure would involve an unreasonable use or disclosure of personal information about any person, including the deceased person.

(b) Access

Organisations should be required to provide third parties with access to the personal information of deceased individuals in accordance with the access elements of the ‘Access and Correction’ principle, except to the extent that providing access would have an unreasonable impact on the privacy of other individuals, including the deceased individual.

(c) Data Quality

Organisations should be required to comply with the use and disclosure elements of the ‘Data Quality’ principle in relation to the personal information of deceased individuals.

(d) Data Security

Organisations should be required to comply with the ‘Data Security’ principle in relation to the personal information of deceased individuals.

Genetic information

8.87 In ALRC 96, the ALRC and AHEC recommended that:

  • the Privacy Act should be amended to permit the disclosure of an individual’s genetic information to a genetic relative where the disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety;[110]

  • the Privacy Act should be amended to provide individuals with a right to access genetic information about first-degree genetic relatives where such access is necessary to lessen or prevent a serious threat to the individual’s life, health, or safety. The right of access could be refused where providing access would have an unreasonable impact upon the privacy of any individual;[111] and

  • the NHMRC, in consultation with the OPC, should develop guidelines dealing with the disclosure of, and access to, genetic information in these circumstances.[112]

8.88 The Privacy Act was subsequently amended to implement two of these three recommendations. The new provision, NPP 2.1(ea), allows an organisation to use or disclose an individual’s genetic information where the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative of the individual. NPP 2.1(ea) also provides that any such use or disclosure must be in accordance with guidelines issued by the NHMRC and approved by the Privacy Commissioner. The Privacy Act was not, however, amended to implement Recommendation 21–3, in relation to providing a right of access to genetic information.

8.89 In Chapter 63, the ALRC considers NPP 2.1(ea) and recommends that the provision be moved to the new Privacy (Health Information) Regulations. The ALRC also recommends that the provision be amended to apply to both agencies and organisations and that the reference to guidelines issued by the NHMRC be replaced with a reference to rules issued by the Privacy Commissioner. It is anticipated that these rules will address issues such as providing genetic information through a nominated medical practitioner or genetic counsellor, who can explain the clinical relevance of the information.[113]

8.90 In DP 72, the ALRC proposed that the provisions dealing with the use or disclosure of personal information of deceased individuals should make clear that it is reasonable for an organisation to use or disclose genetic information to a genetic relative of a deceased individual where the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative.[114]

Submissions and consultations

8.91 A number of stakeholders expressed support for the ALRC’s proposal concerning the release of genetic information of a deceased individual to a genetic relative.[115]

8.92 The OPC suggested that the intent of the proposal could be achieved more simply by extending the application of existing NPP 2.1(ea) to include the genetic information of deceased individuals.[116]

ALRC’s view

8.93 The ALRC agrees that NPP 2.1(ea)—to be moved to the new Privacy (Health Information) Regulations in accordance with Recommendation 63–5—should be extended to apply to the use and disclosure of genetic information of deceased individuals to their genetic relatives. This will ensure that any such use and disclosure is conducted in accordance with the rules to be issued by the Privacy Commissioner.

8.94 Recommendation 21–3 of ALRC 96—providing a right of access to the genetic information of a genetic relative—should be implemented and should, as recommended in ALRC 96, extend to the personal information of deceased individuals. In ALRC 96, the ALRC and AHEC recommended that any such access should be provided in accordance with binding guidelines to be issued by the NHMRC and approved by the Privacy Commissioner. In order to be consistent with other recommendations in this Report,[117] those guidelines should be renamed rules and should be issued by the Privacy Commissioner.

Recommendation 8-2 The Privacy Act should be amended to provide that the content of National Privacy Principle 2.1(ea) on the use and disclosure of genetic information to genetic relatives—to be moved to the new Privacy (Health Information) Regulations in accordance with Recommendation 63–5—should apply to the use and disclosure of genetic information of deceased individuals.

Consultation with and decisions by third parties

8.95 As discussed above, some state and territory privacy legislation makes provision for decisions to be made by third parties on behalf of deceased individuals where a decision is required in relation to the deceased individual’s personal information.

8.96 In addition, under the FOI Act where there is a request to access the personal information of a deceased individual, the Act requires agencies, in some circumstances, to provide a deceased individual’s legal personal representative with a reasonable opportunity to make submissions in relation to the request.[118] The agency, however, retains the power to make the decision on whether access is granted.[119]

8.97 In ALRC 96, the ALRC and AHEC recommended that the definition of ‘health information’ in the Privacy Act be amended to include information about an individual who has been dead for 30 years or less and that these amendments should include provision for decision making by next-of-kin or an authorised person.[120] In ALRC 96, the ALRC and AHEC noted, however, that:

If the law requires that access to genetic information about a deceased individual can be granted only with the consent of that person’s legal or other authorised representative, genetic relatives may still have problems in gaining access.[121]

ALRC’s view

8.98 In considering whether to impose an obligation on organisations to consult with third parties, or a requirement to seek a decision from a third party on behalf of a deceased individual, the ALRC considered the difficulties with these processes highlighted by stakeholders. These included: the fact that family members and other third party representatives often have different views on the appropriateness of access to information, or the sensitivity of that information; the difficulties in finding and contacting relevant third parties; and the fact that this becomes more difficult over time. In relation to requests for access to health information, genetic information or family history information, in particular, the ALRC’s view is that one individual or family member should not be able to stop another family member from gaining access to a deceased family member’s information. For this reason the ALRC is no longer of the view, expressed in ALRC 96, that provision should be made for decision making by next-of-kin or another authorised person.

8.99 The ALRC also considered the likely compliance costs such processes would impose on organisations. On balance, the ALRC considers that such an obligation or requirement should not be imposed on organisations.

8.100 Instead, where a decision by the individual would have been required, the ALRC recommends that organisations dealing with the personal information of a deceased individual be required to decide whether the proposed use or disclosure would involve ‘an unreasonable use or disclosure of personal information’ or whether providing access to the information would have ‘an unreasonable impact on the privacy of other individuals, including the deceased individual’.

8.101 The decision to use or disclose, or to provide access to, the information should remain with the organisation, rather than with a third party representing the deceased individual. In order to make informed decisions in this area, organisations may find it useful, or even necessary, to consult deceased individuals’ families or legal personal representatives but the ALRC does not propose that there be a legal requirement to do so in the Privacy Act.

Complaints

8.102 In DP 72, the ALRC proposed that breach of the provisions relating to the personal information of a deceased individual should be considered an interference with privacy under the Privacy Act. This would allow a complaint to be lodged with the Privacy Commissioner. The ALRC’s preliminary view was that the following individuals should have standing to lodge a complaint:

  • in relation to an alleged breach of the use and disclosure, data quality or data security provisions—the deceased individual’s parent, child or sibling who is at least 18 years old, spouse, de facto partner or legal personal representative; and

  • in relation to an alleged breach of the access provision—any person who has made a request for access to the personal information of a deceased individual.[122]

Submissions and consultations

8.103 A number of stakeholders expressed support for the ALRC’s proposal in relation to standing to make complaints.[123] The OVPC suggested that the categories of people with standing should be expanded to include ‘any other individual who, in the opinion of the Privacy Commissioner, has a sufficient interest in the subject-matter of the complaint’.[124]

8.104 The OPC agreed that parents, children, siblings, spouses, de facto partners or legal personal representatives should have standing to lodge a complaint alleging an interference with the privacy of a deceased individual. The OPC did have concerns, however, about denial of access giving rise to a complaint:

The Office submits that, in many cases, it may be inappropriate to consider a denial of ‘access’ to a deceased individual’s information as an interference with the privacy of the deceased. This is particularly the case, for example, if the interests of the requesting party are commercial rather than personal. Such a construction may not align with a general understanding of what an interference with privacy may entail.[125]

8.105 PIAC, and one other stakeholder,[126] expressed the view that only third parties whose privacy has been impacted by the handling of the personal information of a deceased individual should have standing to lodge a complaint.[127] The Law Council of Australia queried whether it was appropriate to allow third parties to lodge complaints and seek redress for an infringement of another person’s privacy.[128]

ALRC’s view

8.106 A breach of the provisions relating to the personal information of a deceased individual should be considered an ‘interference with privacy’ under the Privacy Act, giving rise to the right to lodge a complaint with the Privacy Commissioner. The complaint process should parallel, as far as possible, the process provided for complaints by living individuals about the handling of their own personal information by organisations.

8.107 In some circumstances, the relevant ‘interference with privacy’ will not be an interference with the privacy of the deceased individual. In relation to a denial of access to the personal information of a deceased individual, for example, the ALRC uses the term ‘interference with privacy’ in a purely technical sense to indicate that an alleged breach of the provision would ground a right to lodge a complaint with the Privacy Commissioner.

8.108 The following individuals should have standing to lodge a complaint about the handling of the personal information of a deceased individual. In relation to an alleged breach of the use and disclosure, access, data quality or data security provisions, the deceased individual’s parents, children or siblings who are at least 18 years old, spouse, de facto partner[129] or legal personal representative should have standing to allege an interference with privacy. The relevant proposal in DP 72 did not include the access provision in this list. The ALRC is now of the view that these parties should be able to lodge a complaint with the Privacy Commissioner where, for example, access has been provided to a third party in inappropriate circumstances.

8.109 The ALRC considers that the OVPC’s suggestion that this list should be extended to include ‘any other individual who, in the opinion of the Privacy Commissioner, has a sufficient interest in the subject-matter of the complaint’ has merit. The ALRC has not, however, had the opportunity to consult on this issue and so is not in a position to make such a recommendation.

8.110 In relation to a request for access to the personal information of a deceased individual, in addition to the parties mentioned above, any person who has made a request for access to the personal information of a deceased individual and has been denied access should have standing to lodge a complaint.

Recommendation 8-3 Breach of the provisions relating to the personal information of a deceased individual should be considered an interference with privacy under the Privacy Act. The following individuals should have standing to lodge a complaint with the Privacy Commissioner:

(a) in relation to an alleged breach of the use and disclosure, access, data quality or data security provisions—the deceased individual’s parent, child or sibling who is aged 18 or over, spouse, de facto partner or legal personal representative; and

(b) in relation to an alleged breach of the access provision—the parties in paragraph (a) and any person who has made a request for access to the personal information of a deceased individual where that request has been denied.

[54] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–11.

[55] GE Money Australia, Submission PR 537, 21 December 2007; Confidential, Submission PR 536, 21 December 2007; Law Council of Australia, Submission PR 527, 21 December 2007; Australian Library and Information Association, Submission PR 446, 10 December 2007.

[56] Law Council of Australia, Submission PR 527, 21 December 2007.

[57] Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[58] Acxiom Australia, Submission PR 551, 1 January 2008.

[59] Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008.

[60] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[61] School of Public Health—University of Sydney, Submission PR 504, 20 December 2007.

[62] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[63] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[64] National Health and Medical Research Council, Submission PR 397, 7 December 2007. National Legal Aid agreed that guidance would be necessary: National Legal Aid, Submission PR 521, 21 December 2007.

[65] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[66] Law Society of New South Wales, Submission PR 443, 10 December 2007.

[67] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[68] Ibid; National Australia Bank, Submission PR 408, 7 December 2007.

[69]These criteria are retained in the ‘Data Quality’ principle in the model UPPs.

[70] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–10.

[71] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[72] Government of South Australia, Submission PR 565, 29 January 2008.

[73] Confidential, Submission PR 570, 13 February 2008; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[74] Privacy NSW, Submission PR 468, 14 December 2007.

[75] Rec 29–1.

[76] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–11.

[77]Freedom of Information Act 1982 (Cth) s 41.

[78] Investment and Financial Services Association, Submission PR 538, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Optus, Submission PR 532, 21 December 2007; AXA, Submission PR 442, 10 December 2007.

[79] National Australia Bank, Submission PR 408, 7 December 2007.

[80] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[81] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[82] UPP 5.1(d).

[83] UPP 5.1(e).

[84] UPP 5.1(g).

[85] Australian Government Attorney-General’s Department, Freedom of Information Memorandum 98: Exemption Sections in the FOI Act (2005).

[86] Health information of deceased individuals is discussed further below.

[87] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–11.

[88] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[89] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[90] Human Rights and Equal Opportunity Commission, Submission PR 500, 20 December 2007.

[91] Human Rights and Equal Opportunity Commission, Bringing Them Home: Report of the National Inquiry into the Separation of Aboriginal and Torres Strait Islander Children from their Families (1997), 350.

[92] Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Australian Unity Group, Submission PR 381, 6 December 2007.

[93] Financial Planning Association of Australia, Submission PR 496, 19 December 2007.

[94] Insurance Council of Australia, Submission PR 485, 18 December 2007.

[95] ANZ, Submission PR 467, 13 December 2007.

[96] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[97] In ALRC 96, the ALRC and the Australian Health Ethics Committee (AHEC) recommended that the Privacy Act be amended to provide that an individual has a right to access genetic information about first-degree genetic relatives where such access is necessary to lessen or prevent a serious threat to the individual’s life, health, or safety. See Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 21–3.

[98] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–11(c).

[99] Confidential, Submission PR 519, 21 December 2007.

[100] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[101] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[102] The ‘Data Quality’ principle also applies to the collection of personal information relating to living individuals, but the ALRC does not recommend that this element of the principle be applied to the personal information of deceased individuals.

[103] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–11(d).

[104] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Human Rights and Equal Opportunity Commission, Submission PR 500, 20 December 2007.

[105] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[106] Rec 28–4.

[107] Rec 28–5.

[108] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–11.

[109] Ibid, Proposal 25–2.

[110] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 21–1.

[111] Ibid, Rec 21–3.

[112] Ibid, Rec 21–2.

[113] Rec 63–5.

[114] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–12.

[115] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Centre for Law and Genetics, Submission PR 497, 20 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[116] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[117] Recs 47–2 and 63–5.

[118] Freedom of Information Act 1982 (Cth) s 27A.

[119] Ibid s 41.

[120] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 7–6.

[121] Ibid, [7.93].

[122] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 3–13.

[123] Australian Privacy Foundation, Submission PR 553, 2 January 2008; P Youngman, Submission PR 394, 7 December 2007.

[124] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007. See Information Privacy Act 2000 (Vic) s 27.

[125] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[126] Confidential, Submission PR 536, 21 December 2007.

[127] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[128] Law Council of Australia, Submission PR 527, 21 December 2007.

[129] The ALRC recommends that the term ‘de facto spouse’ in the Privacy Act be changed to ‘de facto partner’: see Rec 63–4.