Introduction

8.1 Paul Roth has noted that:

It is normally accepted that in law, deceased persons have no privacy interests. This is presumably on the basis that the raison d’être for privacy protection no longer exists, since dead people can feel no shame or humiliation. The underlying common law principle here is much the same as in the law of defamation, which in most jurisdictions does not countenance civil actions that seek to vindicate the reputation of the dead.[1]

8.2 In this chapter, the ALRC considers whether the Privacy Act 1988 (Cth) should be amended to provide protection for the personal information of deceased individuals. Although a deceased individual may ‘feel no shame or humiliation’, there are sound public policy reasons to extend and amend certain of the model Unified Privacy Principles (UPPs) to create a set of provisions that apply to the personal information of deceased individuals. The ALRC recommends provisions to regulate the use and disclosure of the personal information of deceased individuals; access by third parties; data quality; and data security.

8.3 In the ALRC’s view, the protection provided by the Privacy Act is analogous to the protection provided by legal duties of confidentiality that, unlike a right to sue for defamation, do survive the death of the individual. The provisions recommended in this chapter are intended to ensure that living individuals are confident to provide personal information, including sensitive information, in the knowledge that the information will not be disclosed in inappropriate circumstances after they die. The provisions are also intended to protect living relatives and others from distress caused by the inappropriate handling of a deceased individual’s personal information and to provide a right of access to that information for family members and others where such access is reasonable.

8.4 In Chapter 3, the ALRC discusses the constitutional foundations of the Privacy Act, noting that the Act was passed on the basis of the Australian Parliament’s express power to make laws with respect to ‘external affairs’.[2] The external affairs power enables the Australian Parliament to make laws with respect to matters physically external to Australia;[3] and matters relating to Australia’s obligations under bona fide international treaties or agreements, or customary international law.[4] The external affairs power is not confined to meeting international obligations, but may also extend to ‘matters of international concern’.

8.5 The Preamble to the Privacy Act makes clear that the legislation was intended to implement, at least in part, Australia’s obligations relating to privacy under the United Nations International Covenant on Civil and Political Rights (ICCPR)[5] as well as the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (the OECD Guidelines).[6]

8.6 These international instruments are not expressed to apply to deceased individuals and, therefore, may not provide a firm constitutional basis for legislation at the federal level. It may be possible to argue that the limited provisions relating to deceased individuals recommended in this Report do fall within the rights protected by Article 17 of the ICCPR,[7] that they are matters of international concern,[8] or that they relate to the privacy rights of living individuals or are incidental to those rights. In order to avoid uncertainty, however, it may be preferable to seek a referral of power from the states under s 51(xxxvii) of the Australian Constitution in relation to the protection of the personal information of deceased individuals. Section 51(xxxvii) gives the Australian Parliament the power to make laws with respect to matters referred to the Parliament by the parliaments of the states.[9]

The Privacy Act

8.7 The Privacy Act, generally, does not protect the personal information of deceased individuals.[10] The term ‘individual’ is defined in the Act as ‘a natural person’.[11] The Office of the Privacy Commissioner’s (OPC) review of the private sector provisions of the Privacy Act (the OPC Review) stated that:

The term ‘natural person’ is not defined under the Privacy Act or the Acts Interpretation Act 1901; however it appears the term is usually used to distinguish human beings from artificial persons or corporations. Whether the term ‘natural persons’ includes a deceased human being does not appear to have been subject to judicial consideration in Australia or the United Kingdom. The Office considers the term ‘natural person’ to mean a living human being as this is the plain English meaning of the term.[12]

8.8 The OPC, however, has suggested in guidance material issued in respect of the Information Privacy Principles (IPPs), that:

Although information about dead people is not technically considered to be personal information, Agencies are encouraged to respect the sensitivities of family members when using or disclosing it.[13]

8.9 Part VIA of the Privacy Act—dealing with personal information in declared emergencies and disasters—explicitly states, however, that for the purposes of Part VIA, the definition of ‘personal information’ is ‘taken to include a reference to an individual who is not living’. The provisions in Part VIA displace some of the requirements in the IPPs and National Privacy Principles (NPPs) by providing a separate regime for the collection, use and disclosure of personal information in the case of a declared emergency. The aim of Part VIA is to enhance information exchange between Australian Government agencies, state and territory authorities, organisations, non-government organisations and others, in emergencies and disasters. These provisions are discussed in more detail in Chapter 44.

8.10 The personal information of deceased individuals is expressly addressed in a range of other federal, state and territory legislation and receives some protection under the law relating to duties of confidentiality. The following section examines these laws and considers whether further protection is required.

Freedom of Information and Archives Acts

8.11 The Freedom of Information Act 1982 (Cth) (the FOI Act) establishes a legally enforceable right of access to documents, including personal information, held by Australian Government public sector agencies. The Act sets out a number of exceptions to that right of access and these are described as ‘exempt documents’. One class of exempt document is as follows:

A document is an exempt document if its disclosure under this Act would involve the unreasonable disclosure of personal information about any person (including a deceased person).[14]

8.12 Where a request is made for access to the personal information of a deceased individual held by an agency and it appears to the decision maker under the FOI Act that the legal personal representative of the individual might reasonably wish to contend that the document should not be released, the representative must be given a reasonable opportunity to make submissions in relation to the matter.[15] Although the agency may consult under these provisions, the decision whether to release information remains with the agency. Where a decision is made that the personal information of a deceased individual is to be released under the FOI Act, the legal personal representative of the deceased person may apply to the Administrative Appeals Tribunal for review of the decision.[16] The FOI Act does not provide for amendment or annotation of personal information by a third party on behalf of a deceased individual.

8.13 When agencies no longer need ready access to records, most agencies are required to transfer them to the National Archives of Australia. The Archives Act 1983 (Cth) deals with storage, disposal and destruction of such records. The Act also provides that, once records are 30 years old and in the open access period, they should be made available to the public, except in some circumstances. These include where they contain

information or matter the disclosure of which under this Act would involve the unreasonable disclosure of information relating to the personal affairs of any person (including a deceased person).[17]

8.14 Thus, while both the FOI Act and the Archives Act provide avenues for third parties to apply for access to information about deceased individuals, agencies are required to consider whether releasing the information would amount to an ‘unreasonable disclosure’. These Acts are discussed in more detail in Chapter 15.

State and territory privacy legislation

8.15 New South Wales privacy and Victorian health privacy legislation covers personal information about individuals who have been dead for not more than 30 years.[18] This reflects the 30 year period after which government archival records are generally open to public access.[19] The Northern Territory Information Act, which combines privacy, freedom of information and archives provisions, covers personal information within the first five years after an individual dies.[20] Tasmanian privacy legislation extends protection to the personal information of individuals who have been dead for not more than 25 years,[21] and ACT health privacy legislation covers deceased individuals without imposing any time restrictions.[22]

8.16 Under the privacy principles and health privacy principles set out in these Acts, a number of situations arise in which a decision is required from an individual in relation to his or her personal information. For example, individuals are generally required to consent to the collection of sensitive information about them, such as their health information. In the case of a deceased individual, it is clearly impossible for the individual to make that decision or provide consent.

8.17 Instead, a number of these Acts include provisions that allow a decision to be made on behalf of the deceased individual. Under the Health Records and Information Privacy Act 2002 (NSW), for example, an ‘authorised representative’ may make decisions on behalf of a deceased individual.[23] ‘Authorised representative’ includes ‘a person who is otherwise empowered under law to exercise any functions as an agent of or in the best interests of the individual’,[24] including an executor or administrator of a deceased estate. The arrangements established under these provisions extend to decisions on behalf of any individual that lacks capacity to make a decision under the Act, including deceased individuals.

Duty of confidentiality

8.18 A legal duty of confidentiality may arise in equity, at common law or under contract and provides some protection for personal information provided in confidence. How such duties arise and what they involve are discussed further in Chapters 15 and 16. A duty of confidence ends when the information loses its quality of confidence, whether through the passage of time, loss of secrecy or other change of circumstances.[25] This does not mean, however, that the duty necessarily ends when the person who has provided the information dies. The law of confidentiality, therefore, may provide some protection for the personal information of deceased individuals where that personal information was provided in confidence to, for example, banks, lawyers, doctors and others.

8.19 In a recent decision, the United Kingdom Information Tribunal found that health information relating to a deceased individual should not be released under the Freedom of Information Act 2000 (UK) because a duty of confidentiality still existed. The Tribunal noted the argument put by one of the parties that, if individuals are aware that information they give to their health service providers may be disclosed to the public after their death, they may not make full disclosure, with the result that health service providers may be unable to provide appropriate medical treatment. The Tribunal agreed with this argument and expressed the view that:

We believe that the public interest in maintaining confidentiality in the medical records of a deceased outweighs, by some way, the countervailing public interest in disclosure.[26]

Genetic information

8.20 In the report Essentially Yours: The Protection of Human Genetic Information (ALRC 96), the ALRC and the Australian Health Ethics Committee (AHEC) of the National Health and Medical Research Council (NHMRC) recommended that:

The Commonwealth should amend the Privacy Act to provide that ‘health information’ includes information about an individual who has been dead for 30 years or less. These amendments should include provision for decision making by next-of-kin or an authorised person in relation to the handling of a deceased individual’s health information.[27]

8.21 Extending the protection of the Privacy Act to the genetic information of deceased individuals was justified on the basis of the implications this information may have for living genetic relatives.[28] The Australian Government noted in its response to ALRC 96 that this recommendation was being considered in the context of the development of the National Health Privacy Code.[29]The draft National Health Privacy Code was expressed to apply to the health information of individuals who have been dead for not more than 30 years.[30]

The OPC Review

8.22 The OPC Review noted that extending the Privacy Act to cover the personal information of deceased individuals would require some reworking of provisions and principles relating to consent and the lodging of complaints. The OPC Review recommended that this issue be considered in the context of a wider review of the Act.[31]

[1] P Roth, ‘Privacy Proceedings and the Dead’ (2004) 11 Privacy Law & Policy Reporter 50.

[2]Australian Constitution s 51(xxix). See Privacy Act 1988 (Cth) Preamble.

[3]Horta v Commonwealth (1994) 181 CLR 183.

[4]Commonwealth v Tasmania (1983) 158 CLR 1; Polyukhovich v Commonwealth (1991) 172 CLR 501; Horta v Commonwealth (1994) 181 CLR 183.

[5]International Covenant on Civil and Political Rights, 16 December 1966, [1980] ATS 23, (entered into force generally on 23 March 1976), art 17.

[6] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). The OECD Guidelines are discussed further in Ch 1 and Part D.

[7] Art 17(1) provides that ‘No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation’. It could be argued, for example, that providing no protection for the personal information once individuals are deceased, impacts in an arbitrary way on the privacy of individuals while still alive. Individuals may be constrained in sharing information if they believe that information will be disclosed inappropriately when they die.

[8]See the discussion of protecting the personal information of deceased individuals: European Union Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, 01248/07/EN WP136 (2007), 22–23. See also, for example, the World Medical Association code of ethics, which provides that: ‘A physician shall preserve absolute confidentiality on all he knows about his patient even after the patient has died’: World Medical Association, International Code of Medical Ethics (2006) <www.wma.net/e/policy/c8.htm> at 18 April 2008.

[9] Models to achieve national consistency in the regulation of privacy are discussed in Ch 3.

[10] The exception is Part VIA of the Privacy Act, which deals with declared disasters and emergencies and is discussed further below and in detail in Ch 44.

[11]Privacy Act 1988 (Cth) s 6(1).

[12] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 281.

[13] Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998), 3.

[14]Freedom of Information Act 1982 (Cth) s 41(1). There are similar provisions in state and territory legislation. See, eg, Freedom of Information Act 1989 (NSW) sch 1, pt 2 cl 6(1); Freedom of Information Act 1982 (Vic) s 33(1); Freedom of Information Act 1989 (ACT) s 41(1).

[15]Freedom of Information Act 1982 (Cth) s 27A. Legal personal representative includes the executor or administrator of a deceased individual’s estate.

[16] Ibid s 59A.

[17]Archives Act 1983 (Cth) s 33(1)(g).

[18]Privacy and Personal Information Protection Act 1998 (NSW) s 4(3)(a); Health Records and Information Privacy Act 2002 (NSW) s 5(3)(a); Health Records Act 2001 (Vic) ss 3(1), 95.

[19]Archives Act 1983 (Cth) s 3(7).

[20]Information Act 2002 (NT) s 4.

[21]Personal Information Protection Act 2004 (Tas) s 3.

[22]Health Records (Privacy and Access) Act 1997 (ACT) ss 4, 27 and dictionary (definition of ‘consumer’).

[23]Health Records and Information Privacy Act 2002 (NSW) s 7.

[24] Ibid s 8.

[25] R Toulson and C Phipps, Confidentiality (2nd ed, 2006), 117.

[26]Bluck v Information Commissioner [2007] UKIT EA 2006 0090, [13].

[27] Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 7–6.

[28] Ibid, [7.90].

[29] Australian Government Attorney-General’s Department, Government Response to Australian Law Reform Commission and Australian Health Ethics Committee Report: Essentially Yours: The Protection of Human Genetic Information in Australia (2005) <www.ag.gov.au> at 24 April 2008.

[30] National Health Privacy Working Group of the Australian Health Ministers’ Advisory Council, Draft National Health Privacy Code (2003) pt 4. The Code is discussed further in Ch 60.

[31] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 85.