Issues Paper 31

8.23 In Issues Paper 31, Review of Privacy (IP 31), the ALRC asked whether the definition of ‘personal information’ in the Privacy Act should be amended to include the personal information of deceased individuals.[32]

Submissions and consultations

8.24 There was significant support expressed in submissions and consultations in response to IP 31 for extending at least some privacy principles to the personal information of deceased individuals.[33] Some of the problems arising from the handling of personal information of deceased individuals were highlighted in submissions. One individual noted that she was distressed by direct marketing companies attempting to contact her deceased husband.[34] Another expressed concern about an insurance company seeking to collect health information about him from his next of kin, in the mistaken belief that he was deceased.[35] One stakeholder provided a detailed case study of the difficulties encountered when her adopted sister died. A number of organisations refused to disclose her sister’s personal information to her, or to allow insurance to be cancelled or accounts to be closed, even though she produced a death certificate and documents showing she was the administrator of her sister’s estate. She stated:

May I suggest, taking into account my personal and very distressing circumstances, that while appreciating a person’s privacy needs to be protected, some common sense is applied in the case of a deceased person.[36]

8.25 In its submission, the Australian Privacy Foundation (APF) noted that there are good arguments both for and against extending privacy rights to cover the personal information of deceased individuals. The APF noted that not all the privacy principles sensibly apply to the personal information of deceased individuals. For example, the person cannot be notified or consulted about how his or her personal information is to be handled. The APF argued that it might be preferable to enact specific provisions to address this issue, rather than simply extend the definition of ‘personal information’ to include the personal information of deceased individuals.[37] A number of other stakeholders also expressed the view that the principles should apply only so far as is practicable.[38]

8.26 AAMI expressed support for extending the Privacy Act to cover the information of deceased individuals:

AAMI often sadly is dealing with a deceased person’s information, mainly as a result of a fatality claim on a motor vehicle insurance policy or as part of a compulsory third party (CTP) claim. AAMI currently applies its privacy protection procedures to the deceased personal information as it would to a natural person, as far as is practicable. Therefore AAMI supports amending the Act to include personal information of the deceased, with the provision that in certain circumstances it may not be practicable.[39]

8.27 Other organisations noted that, to simplify matters, or in order to comply with state and territory legislation, as far as possible they handle the personal information of deceased individuals in the same way as they handle the personal information of living individuals.[40] The Australian Government Department of Community Services expressed support for extending the Privacy Act to cover the personal information of deceased individuals and noted that the secrecy provisions included in Medicare and Centrelink legislation continued to cover individuals after death.[41]

8.28 The Centre for Law and Genetics expressed support for extending the Privacy Act to cover the personal information of deceased individuals and noted that the justification is particularly strong in relation to Indigenous communities. It noted that those communities have ‘religious and spiritual concerns about representations of deceased individuals’.[42]

8.29 The NHMRC stated that:

The present situation, whereby the health information of deceased persons is protected by legislation in several States and Territories but not by Commonwealth legislation adds to the complexity and confusion created by the existing regulatory regime; and

Information about the health of deceased persons, in particular but not limited to genetic information, may have significant implications for living relatives, both genetic and non-genetic. It is preferable for representatives of the deceased to be able to consent to collection, use and disclosure of such information.[43]

8.30 Some concerns were raised about extending the Privacy Act to include the personal information of deceased individuals. These included: increased complexity for executors, family members and insurance companies following the death of an individual;[44] more limited access to information for research and other activities of interest to family members or in the public interest;[45] and an additional compliance burden for business.[46]

8.31 The Australian Federal Police did not support extending the Privacy Act to cover the personal information of deceased individuals because of the potential to complicate their investigations relating to such persons.[47] The Australian Tax Office stated that:

In our view, there may be some justification for expanding the definition to include information about the deceased, particularly health and medical information. However, we would be hesitant to recommend any changes that would restrict the way that regulatory and enforcement agencies can access information about the deceased to maintain up-to-date and accurate registers. The ability to collect and use information about deceased persons helps us to keep our taxpayer records as accurate as possible. Access to this information is also a key way of combating identity fraud as it helps to prevent ‘new’ identities being registered using details of the deceased.[48]

8.32 A number of stakeholders also commented on the difficulties that arise when it is necessary to seek decisions on behalf of deceased individuals from alternative decision makers. One stakeholder noted that family members often do not speak with one voice on such matters.[49] Other stakeholders noted that obtaining consent can be difficult, especially where there is a dispute in the family,[50] and that it becomes more difficult to identify and locate alternative decision makers as time passes.[51] Where it is not possible to identify and locate an alternative decision maker, this may mean that information cannot be collected, used or disclosed.

8.33 The State Records Office of Western Australia commented that concerns about sensitive personal information of deceased individuals tend to diminish over time.[52] The Privacy Committee of South Australia noted that, in dealing with the personal information of deceased individuals, it was necessary to balance privacy concerns with what is reasonable and what is in the public interest.[53]

[32] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 3–5.

[33] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Queensland Government Commission for Children and Young People and Child Guardian, Submission PR 171, 5 February 2007; Australian Institute of Health and Welfare, Submission PR 170, 5 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; AAMI, Submission PR 147, 29 January 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007 Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[34] A Baxter, Submission PR 74, 5 January 2007.

[35] Confidential, Submission PR 223, 8 March 2007.

[36] N Sertori, Submission PR 349, 23 November 2007.

[37] Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[38] National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; AAMI, Submission PR 147, 29 January 2007.

[39] AAMI, Submission PR 147, 29 January 2007.

[40] National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; AXA, Submission PR 119, 15 January 2007.

[41] Australian Government Department of Human Services, Submission PR 136, 19 January 2007.

[42] Centre for Law and Genetics, Submission PR 127, 16 January 2007. See also the discussion of the particular privacy needs of Indigenous people in Ch 7.

[43] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[44] Australian Health Insurance Association, Submission PR 161, 31 January 2007.

[45] Government of South Australia, Submission PR 187, 12 February 2007; Australian Institute of Health and Welfare, Submission PR 170, 5 February 2007; Public Record Office Victoria, Submission PR 72, 3 January 2007.

[46] Institute of Mercantile Agents, Submission PR 101, 15 January 2007.

[47] Australian Federal Police, Submission PR 186, 9 February 2007.

[48] Australian Taxation Office, Submission PR 168, 15 February 2007.

[49] Public Record Office Victoria, Submission PR 72, 3 January 2007.

[50] Banking and Financial Services Ombudsman, Consultation PC 76, Melbourne, 5 February 2007.

[51] B Armstrong, Consultation PC 47, Sydney, 10 January 2007.

[52] State Records Office of Western Australia, Consultation PC 67, Perth, 24 January 2007.

[53] Privacy Committee of South Australia, Consultation PC 110, Adelaide, 1 March 2007.