Part D—The Privacy Principles

18. Structural Reform of the Privacy Principles

Recommendation 18–1 The privacy principles in the Privacy Act should be drafted to pursue, as much as practicable, the following objectives:

(a) the obligations in the privacy principles generally should be expressed as high-level principles;

(b) the privacy principles should be technology neutral;

(c) the privacy principles should be simple, clear and easy to understand and apply; and

(d) the privacy principles should impose reasonable obligations on agencies and organisations.

Recommendation 18–2 The Privacy Act should be amended to consolidate the current Information Privacy Principles and National Privacy Principles into a single set of privacy principles, referred to in this Report as the model Unified Privacy Principles.

19. Consent

Recommendation 19–1 The Office of the Privacy Commissioner should develop and publish further guidance about what is required of agencies and organisations to obtain an individual’s consent for the purposes of the Privacy Act. This guidance should:

(a) address the factors to be taken into account by agencies and organisations in assessing whether consent has been obtained;

(b) cover express and implied consent as it applies in various contexts; and

(c) include advice on when it is and is not appropriate to use the mechanism of ‘bundled consent’.

20. Anonymity and Pseudonymity

Recommendation 20–1 The model Unified Privacy Principles should contain a principle called ‘Anonymity and Pseudonymity’ that requires an agency or organisation to give individuals the clear option to interact anonymously or pseudonymously, where this is lawful and practicable in the circumstances.

Recommendation 20–2 The Office of the Privacy Commissioner should develop and publish guidance on:

(a) when it is and is not ‘lawful and practicable’ to give individuals the option to interact anonymously or pseudonymously with agencies or organisations;

(b) what is involved in providing a ‘clear option’ to interact anonymously or pseudonymously; and

(c) the difference between providing individuals with the option to interact anonymously and pseudonymously.

21. Collection

Recommendation 21–1 The model Unified Privacy Principles should contain a principle called ‘Collection’ that requires agencies and organisations, where reasonable and practicable, to collect personal information about an individual only from the individual concerned.

Recommendation 21–2 The Office of the Privacy Commissioner should develop and publish further guidance to clarify when it would not be reasonable and practicable to collect personal information about an individual only from the individual concerned. In particular, the guidance should address collection:

(a) of personal information by agencies pursuant to the exercise of their coercive information-gathering powers or in accordance with their intelligence-gathering, investigative, and compliance functions;

(b) of statistical data;

(c) of personal information in circumstances in which it is necessary to verify an individual’s personal information;

(d) of personal information in circumstances in which the collection process is likely to, or will, disclose the personal information of multiple individuals; and

(e) from persons under the age of 18, persons with a decision-making incapacity and those authorised to provide personal information on behalf of the individual.

Recommendation 21–3 The ‘Collection’ principle should provide that, where an agency or organisation receives unsolicited personal information, it must either:

(a) if lawful and reasonable to do so, destroy the information as soon as practicable without using or disclosing it except for the purpose of determining whether the information should be retained; or

(b) comply with all relevant provisions in the model Unified Privacy Principles that apply to the information in question, as if the agency or organisation had taken active steps to collect the information.

Recommendation 21–4 The Office of the Privacy Commissioner should develop and publish guidance about the meaning of ‘unsolicited’ in the context of the ‘Collection’ principle.

Recommendation 21–5 The ‘Collection’ principle in the model Unified Privacy Principles should provide that an agency or organisation must not collect personal information unless it is necessary for one or more of its functions or activities.

22. Sensitive Information

Recommendation 22–1 The model Unified Privacy Principles should set out the requirements of agencies and organisations in relation to the collection of personal information that is defined as ‘sensitive information’ for the purposes of the Privacy Act. These requirements should be located in the ‘Collection’ principle.

Recommendation 22–2 The sensitive information provisions should contain an exception permitting the collection of sensitive information by an agency or organisation where the collection is required or authorised by or under law.

Recommendation 22–3 The sensitive information provisions should contain an exception permitting the collection of sensitive information by an agency or organisation where the collection is necessary to lessen or prevent a serious threat to the life or health of any individual, where the individual whom the information concerns is legally or physically incapable of giving or communicating consent.

23. Notification

Recommendation 23–1 The model Unified Privacy Principles should contain a principle called ‘Notification’ that sets out the requirements on agencies and organisations to notify individuals or otherwise ensure they are aware of particular matters relating to the collection and handling of personal information about the individual.

Recommendation 23–2 The ‘Notification’ principle should provide that, at or before the time (or, if that is not practicable, as soon as practicable after) an agency or organisation collects personal information about an individual from the individual or from someone other than the individual, it must take such steps, if any, as are reasonable in the circumstances to notify or otherwise ensure that the individual is aware of the:

(a) fact and circumstances of collection where the individual may not be aware that his or her personal information has been collected;

(b) identity and contact details of the agency or organisation;

(c) rights of access to, and correction of, personal information provided by these principles;

(d) purposes for which the information has been collected;

(e) main consequences of not providing the information;

(f) actual, or types of, agencies, organisations, entities or persons to whom the agency or organisation usually discloses personal information of the kind collected;

(g) fact that the avenues of complaint available to the individual if he or she has a complaint about the collection or handling of his or her personal information are set out in the agency’s or organisation’s Privacy Policy; and

(h) fact, where applicable, that the collection is required or authorised by or under law.

Recommendation 23–3 The Office of the Privacy Commissioner should develop and publish guidance to assist agencies and organisations in complying with the ‘Notification’ principle. In particular, the guidance should address:

(a) the circumstances when it would and would not be reasonable for an agency or organisation to take no steps to notify individuals about the matters specified in the ‘Notification’ principle. In this regard, the guidance should address the circumstances when:

(i) notification would prejudice the purpose of collection, for example, where it would prejudice:

– the prevention, detection, investigation, and prosecution of offences, breaches of law imposing a penalty or seriously improper conduct;

– the enforcement of laws; or

– the protection of the public revenue;

(ii) the collection of personal information is required or authorised by or under law for statistical or research purposes;

(iii) the personal information is collected from an individual on repeated occasions;

(iv) an individual has been made aware of the relevant matters by the agency or organisation which disclosed the information to the collecting agency or organisation;

(v) non-compliance with the principle is authorised by the individual concerned;

(vi) the taking of no steps is required or authorised by or under law;

(vii) notification would pose a serious threat to the life or health of any individual; and

(viii) health services collect family, social or medical histories;

(b) the appropriate level of specificity when notifying individuals about anticipated disclosures to agencies, organisations, entities and persons; and

(c) the circumstances in which an agency or organisation can comply with specific limbs of the ‘Notification’ principle by alerting an individual to specific sections of its Privacy Policy or to other general documents.

24. Openness

Recommendation 24–1 The model Unified Privacy Principles should contain a principle called ‘Openness’. The principle should set out the requirements on an agency or organisation to operate openly and transparently by setting out clearly expressed policies on its handling of personal information in a Privacy Policy, including how it collects, holds, uses and discloses personal information. This document also should include:

(a) what sort of personal information the agency or organisation holds;

(b) the purposes for which personal information is held;

(c) the steps individuals may take to access and correct personal information about them held by the agency or organisation; and

(d) the avenues of complaint available to individuals in the event that they have a privacy complaint.

Recommendation 24–2 An agency or organisation should take reasonable steps to make its Privacy Policy, as referred to in the ‘Openness’ principle, available without charge to an individual electronically; and, on request, in hard copy or in an alternative form accessible to individuals with special needs.

Recommendation 24–3 The Office of the Privacy Commissioner should continue to encourage and assist agencies and organisations to make available short form privacy notices summarising their personal information-handling practices. Short form privacy notices should be seen as supplementing the more detailed information that is required to be made available to individuals under the Privacy Act.

25. Use and Disclosure

Recommendation 25–1 The model Unified Privacy Principles should contain a principle called ‘Use and Disclosure’ that sets out the requirements on agencies and organisations in respect of the use and disclosure of personal information for a purpose other than the primary purpose of collection.

Recommendation 25–2 The ‘Use and Disclosure’ principle should contain an exception permitting an agency or organisation to use or disclose an individual’s personal information for a purpose other than the primary purpose of collection (the secondary purpose), if the:

(a) secondary purpose is related to the primary purpose and, if the personal information is sensitive information, directly related to the primary purpose of collection; and

(b) individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose.

Recommendation 25–3 The ‘Use and Disclosure’ principle should contain an exception permitting an agency or organisation to use or disclose an individual’s personal information for a purpose other than the primary purpose of collection (the secondary purpose) if the agency or organisation reasonably believes that the use or disclosure for the secondary purpose is necessary to lessen or prevent a serious threat to: (a) an individual’s life, health or safety; or (b) public health or public safety.

26. Direct Marketing

Recommendation 26–1 The model Unified Privacy Principles should regulate direct marketing by organisations in a discrete privacy principle, separate from the ‘Use and Disclosure’ principle. This principle should be called ‘Direct Marketing’ and it should apply regardless of whether the organisation has collected the individual’s personal information for the primary purpose or a secondary purpose of direct marketing. The principle should distinguish between direct marketing to individuals who are existing customers and direct marketing to individuals who are not existing customers.

Recommendation 26–2 The ‘Direct Marketing’ principle should set out the generally applicable requirements for organisations engaged in the practice of direct marketing. These requirements should be displaced, however, to the extent that more specific sectoral legislation regulates a particular aspect or type of direct marketing.

Recommendation 26–3 The ‘Direct Marketing’ principle should provide that an organisation may use or disclose personal information about an individual who is an existing customer aged 15 years or over for the purpose of direct marketing only where the:

(a) individual would reasonably expect the organisation to use or disclose the information for the purpose of direct marketing; and

(b) organisation provides a simple and functional means by which the individual may advise the organisation that he or she does not wish to receive any direct marketing communications.

Recommendation 26–4 The ‘Direct Marketing’ principle should provide that an organisation may use or disclose personal information about an individual who is not an existing customer or is under 15 years of age for the purpose of direct marketing only in the following circumstances:

(a) either:

(i) the individual has consented; or

(ii) the information is not sensitive information and it is impracticable for the organisation to seek the individual’s consent before that particular use or disclosure;

(b) in each direct marketing communication, the organisation draws to the individual’s attention, or prominently displays, a notice advising the individual that he or she may express a wish not to receive any direct marketing communications; and

(c) the organisation provides a simple and functional means by which the individual may advise the organisation that he or she does not wish to receive any direct marketing communications.

Recommendation 26–5 The ‘Direct Marketing’principle should provide that an organisation involved in direct marketing must comply, within a reasonable period of time, with an individual’s request not to receive further direct marketing communications and must not charge the individual for giving effect to such a request.

Recommendation 26–6 The ‘Direct Marketing’principle should provide that an organisation that has made direct marketing communications to an individual who is not an existing customer or is under 15 years of age must, where reasonable and practicable and where requested to do so by the individual, advise the individual of the source from which it acquired the individual’s personal information.

Recommendation 26–7 The Office of the Privacy Commissioner should develop and publish guidance to assist organisations in complying with the ‘Direct Marketing’ principle, including:

(a) what constitutes an ‘existing customer’;

(b) the types of direct marketing communications which are likely to be within the reasonable expectations of existing customers;

(c) the kinds of circumstances in which it will be impracticable for an organisation to seek consent in relation to direct marketing to an individual who is not an existing customer or is under the age of 15 years;

(d) the factors for an organisation to consider in determining whether it is reasonable and practicable to advise an individual of the source from which it acquired the individual’s personal information; and

(e) the obligations of organisations involved in direct marketing under the Privacy Act in dealing with vulnerable people.

27. Data Quality

Recommendation 27–1 The model Unified Privacy Principles should contain a principle called ‘Data Quality’ that requires an agency or organisation to take reasonable steps to make certain that the personal information it collects, uses or discloses is, with reference to the purpose of that collection, use or disclosure, accurate, complete, up-to-date and relevant.

28. Data Security

Recommendation 28–1 The model Unified Privacy Principles should contain a principle called ‘Data Security’ that applies to agencies and organisations.

Recommendation 28–2 A note should be inserted after the ‘Data Security’ principle cross-referencing to the data breach notification provisions.

Recommendation 28–3 The Office of the Privacy Commissioner should develop and publish guidance about the ‘reasonable steps’ agencies and organisations should take to prevent the misuse and loss of personal information. This guidance should address matters such as the:

(a) factors that should be taken into account in determining what are ‘reasonable steps’, including: the likelihood and severity of harm threatened; the sensitivity of the information; the cost of implementation; and any privacy infringements that could result from such data security steps; and

(b) relevant security measures, including privacy-enhancing technologies such as encryption, the security of paper-based and electronic information, and organisational policies and procedures.

Recommendation 28–4 (a) The ‘Data Security’ principle should require an agency or organisation to take reasonable steps to destroy or render non-identifiable personal information if:

(i) it is no longer needed for any purpose for which it can be used or disclosed under the model Unified Privacy Principles; and

(ii) retention is not required or authorised by or under law.

(b) The obligation to destroy or render non-identifiable personal information is not ‘required by law’ for the purposes of s 24 of the Archives Act 1983 (Cth).

Recommendation 28–5 The Office of the Privacy Commissioner should develop and publish guidance about the destruction of personal information, or rendering such information non-identifiable. This guidance should address matters such as:

(a) when it is appropriate to destroy or render non-identifiable personal information, including personal information that:

(i) forms part of a historical record; and

(ii) may need to be preserved, in some form, for the purpose of future dispute resolution;

(b) the interaction between the data destruction requirements and legislative records retention requirements; and

(c) the manner in which personal information should be destroyed or rendered non-identifiable.

29. Access and Correction

Recommendation 29–1 The model Unified Privacy Principles should contain a principle called ‘Access and Correction’ that, subject to Recommendation 29–2, applies consistently to agencies and organisations.

Recommendation 29–2 The ‘Access and Correction’ principle should provide that:

(a) if an agency holds personal information about an individual, the individual concerned is entitled to have access to that personal information, except to the extent that the agency is required or authorised to refuse to provide the individual with access to that personal information under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents; and

(b) subject to Recommendation 29­–3, if an organisation holds personal information about an individual, the individual concerned shall be entitled to have access to that personal information, except to the extent that one of the exceptions to the right of access presently set out in National Privacy Principle 6.1 or 6.2 applies.

Recommendation 29–3 The ‘Access and Correction’ principle should provide that, where an organisation holds personal information about an individual, it is not required to provide access to the information to the extent that providing access would be reasonably likely to pose a serious threat to the life or health of any individual.

Recommendation 29–4 The ‘Access and Correction’ principle should provide that, where an agency or organisation is not required to provide an individual with access to his or her personal information, the agency or organisation must take such steps, if any, as are reasonable to provide the individual with as much of the information as possible, including through the use of a mutually agreed intermediary.

Recommendation 29–5 The ‘Access and Correction’ principle should provide that, if an individual seeks to have personal information corrected under the principle, an agency or organisation must take such steps, if any, as are reasonable to:

(a) correct the personal information so that, with reference to a purpose for which the information is held, it is accurate, relevant, up-to-date, complete and not misleading; and

(b) notify other entities to whom the personal information has already been disclosed, if requested to do so by the individual and provided such notification would be practicable in the circumstances.

Recommendation 29–6 The ‘Access and Correction’ principle should provide that an agency or organisation must, in the following circumstances, if requested to do so by the individual concerned, take reasonable steps to associate with the record a statement of the correction sought:

(a) if the agency or organisation that holds personal information is not willing to correct personal information in accordance with a request by the individual concerned; and

(b) where the personal information is held by an agency, no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth.

Recommendation 29–7 The ‘Access and Correction’ principle should provide that an agency or organisation must:

(a) respond within a reasonable period of time to a request from an individual for access to his or her personal information held by the agency or organisation; and

(b) provide access in the manner requested by the individual, where reasonable and practicable.

Recommendation 29–8 The ‘Access and Correction’ principle should provide that where an agency or organisation denies a request for access, or refuses to correct personal information, it must provide the individual with:

(a) reasons for the denial of access or refusal to correct personal information, except to the extent that providing such reasons would undermine a lawful reason for denying access or refusing to correct the personal information; and

(b) notice of potential avenues for complaint.

Recommendation 29–9 The Office of the Privacy Commissioner should develop and publish guidance on the ‘Access and Correction’ principle, including:

(a) when personal information is ‘held’ by an agency or organisation;

(b) the requirement that access to personal information should be provided to the maximum extent possible consistent with relevant exceptions;

(c) the factors that an agency or organisation should take into account when determining what is a reasonable period of time to respond to a request for access;

(d) the factors that an agency or organisation should take into account in determining when it would be reasonable and practicable to notify other entities to which it has disclosed personal information of a correction to this information; and

(e) the interrelationships between access to, and correction of, personal information under the Privacy Act and other Commonwealth laws, in particular, those relating to freedom of information.

30. Identifiers

Recommendation 30–1 The model Unified Privacy Principles should contain a principle called ‘Identifiers’ that applies to organisations.

Recommendation 30–2 The ‘Identifiers’ principle should include an exception for the adoption, use or disclosure by prescribed organisations of prescribed identifiers in prescribed circumstances. These should be set out in regulations made:

(a) in accordance with the regulation-making mechanism set out in the Privacy Act; and

(b) when the Minister is satisfied that the adoption, use or disclosure is for the benefit of the individual concerned.

Recommendation 30–3 The ‘Identifiers’ principle should define ‘identifier’ inclusively to mean a number, symbol or biometric information that is collected for the purpose of automated biometric identification or verification that:

(a) uniquely identifies or verifies the identity of an individual for the purpose of an agency’s operations; or

(b) is determined to be an identifier by the Privacy Commissioner.

However, an individual’s name or Australian Business Number, as defined in the A New Tax System (Australian Business Number) Act 1999 (Cth), is not an ‘identifier’.

Recommendation 30–4 The ‘Identifiers’ principle should contain a note stating that a determination referred to in the ‘Identifiers’ principle is a legislative instrument for the purposes of s 5 of the Legislative Instruments Act 2003 (Cth).

Recommendation 30–5 The ‘Identifiers’ principle should regulate the adoption, use and disclosure by organisations of identifiers that are assigned by state and territory agencies.

Recommendation 30–6 Before the introduction by an agency of any multi-purpose identifier, the Australian Government, in consultation with the Privacy Commissioner, should conduct a Privacy Impact Assessment.

Recommendation 30–7 The Office of the Privacy Commissioner, in consultation with the Australian Taxation Office and other relevant stakeholders, should review the Tax File Number Guidelines issued under s 17 of the Privacy Act.

31. Cross-border Data Flows

Recommendation 31–1 (a) The Privacy Act should be amended to clarify that it applies to acts done, or practices engaged in, outside Australia by an agency.

(b) The model Unified Privacy Principles should contain a principle called ‘Cross-border Data Flows’ that applies to agencies and organisations.

Recommendation 31–2 The ‘Cross-border Data Flows’ principle should provide that, if an agency or organisation in Australia or an external territory transfers personal information about an individual to a recipient (other than the agency, organisation or the individual) who is outside Australia or an external territory, the agency or organisation remains accountable for that personal information, unless the:

(a) agency or organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds privacy protections that are substantially similar to the model Unified Privacy Principles;

(b) individual consents to the transfer, after being expressly advised that the consequence of providing consent is that the agency or organisation will no longer be accountable for the individual’s personal information once transferred; or

(c) agency or organisation is required or authorised by or under law to transfer the personal information.

Recommendation 31–3 The Privacy Act should be amended to provide that ‘accountable’, for the purposes of the ‘Cross-border Data Flows’ principle, means that where an agency or organisation transfers personal information to a recipient (other than the agency, organisation or the individual) that is outside Australia or an external territory:

(a) the recipient does an act or engages in a practice outside Australia or an external territory that would have been an interference with the privacy of the individual if done or engaged in within Australia or an external territory; and

(b) the act or practice is an interference with the privacy of the individual, and will be taken to have been an act or practice of the agency or organisation.

Recommendation 31–4 A note should be inserted after the:

(a) ‘Use and Disclosure’ principle, cross-referencing to the ‘Cross-border Data Flows’ principle; and

(b) ‘Cross-border Data Flows’ principle, cross-referencing to the ‘Use and Disclosure’ principle.

Recommendation 31–5 Section 13B of the Privacy Act should be amended to clarify that, if an organisation transfers personal information to a related body corporate outside Australia or an external territory, the transfer will be subject to the ‘Cross-border Data Flows’ principle.

Recommendation 31–6 The Australian Government should develop and publish a list of laws and binding schemes in force outside Australia that effectively uphold principles for the fair handling of personal information that are substantially similar to the model Unified Privacy Principles.

Recommendation 31–7 The Office of the Privacy Commissioner should develop and publish guidance on the ‘Cross-border Data Flows’ principle, including guidance on:

(a) circumstances in which personal information may become available to a foreign government;

(b) outsourcing government services to organisations outside Australia;

(c) the issues that should be addressed as part of a contractual agreement with an overseas recipient of personal information;

(d) what constitutes a ‘reasonable belief’;

(e) consent to cross-border data flows, including information for individuals on the consequences of providing consent;

(f) the establishment by agencies of administrative arrangements, memorandums of understanding or protocols with foreign governments, with respect to appropriate handling practices for personal information in overseas jurisdictions where privacy protections are not substantially similar to the model Unified Privacy Principles (for example, where the transfer is required or authorised by or under law); and

(g) examples of circumstances which do, and do not, constitute a transfer for the purposes of the ‘Cross-border Data Flows’ principle.

Recommendation 31–8 The Privacy Policy of an agency or organisation, referred to in the ‘Openness’ principle, should set out whether personal information may be transferred outside Australia and the countries to which such information is likely to be transferred.