A new privacy principle for deletion of personal information

Proposal 15–2 A new Australian Privacy Principle should be inserted into the Privacy Act 1988 (Cth) that would:

(a) require an APP entity to provide a simple mechanism for an individual to request destruction or de-identification of personal information that was provided to the entity by the individual; and

(b) require an APP entity to take reasonable steps in a reasonable time, to comply with such a request, subject to suitable exceptions, or provide the individual with reasons for its non-compliance.

Question 15–1 Should the new APP proposed in Proposal 15–2 also require an APP entity to take steps with regard to third parties with which it has shared the personal information? If so, what steps should be taken?

The importance of deletion

15.22 Several submissions to the Issues Paper noted that the harm caused by a serious invasion of privacy in the digital era will often increase the longer private information remains accessible.[18] Ensuring that individuals have a means to rapidly remove such information is one way to reduce the availability of private information. This proposal, if enacted, would provide a mechanism to assist individuals in having certain personal information destroyed or de-identified. The risk of that information being misused or disclosed in the future would thereby be reduced.

15.23 This proposal would not provide a mechanism to allow individuals to request the deletion of private information posted about them by other individuals or organisations. In this respect, the proposal is significantly different from the ‘Right to be Forgotten’, which has been considered in the European Union[19] and which was referred to in the Issues Paper.[20]

Limits of the proposed privacy principle

15.24 The proposed privacy principle includes two key requirements. First, an APP entity (as defined in the Privacy Act 1988 (Cth)) would be required to provide a mechanism for individuals to request the deletion or de-identification of personal information held by that entity. Such a mechanism is already provided by some online services, allowing individuals to delete information that they have previously added to the service.[21]

15.25 The second element of the proposal would require an APP entity that receives such a request to take reasonable steps to destroy or de-identify the relevant personal information in a reasonable time. Such a requirement would be subject to certain exceptions including, for example, where the information is required by law to be retained.[22] An organisation which did not destroy or de-identify the information would be required to provide the requesting individual with the reason for its decision.

The context of the Privacy Act

15.26 The proposed privacy principle would be contained within the Privacy Act 1988 (Cth), along with the thirteen existing Australian Privacy Principles (APPs). The existing APPs include similar, but weaker, requirements. First, an APP entity must take reasonable steps to correct personal information held about an individual at the individual’s request.[23] Second, an APP entity must destroy or de-identify personal information that is no longer required for a specific purpose under the APPs.[24] The proposed privacy principle would complement these existing APPs. First, an individual would be empowered not only to request correction of personal information but also to request its deletion. Second, deletion would be required not only when the personal information is no longer useful but also when the individual requests its deletion.

15.27 As an APP, the proposed principle would engage the existing complaints and enforcement mechanisms of the Office of the Australian Information Commissioner. In particular:

  • an APP entity’s failure to comply with the principle would constitute an interference with the privacy of an individual under the Privacy Act;[25]

  • an affected individual could therefore make a complaint about the failure to the OAIC;[26] and

  • a serious or repeated failure to comply with the principle would constitute a breach of a civil penalty provision, possibly resulting in pecuniary penalties.[27]

Extending the deletion requirement for data-sharers

15.28 The ALRC has asked whether the proposed privacy principle should also require an APP entity to take additional steps where a deletion request is made and the relevant information has been shared with third parties. The ALRC has also asked what additional steps should be required in such cases. Some possible examples of additional steps include:

  • requiring the APP entity who receives the request to provide the requesting individual with a list of third parties who have received the information; and

  • requiring the APP entity who receives the request to notify any third parties with which it has shared the information that the request has been made.

15.29 The utility of any such additional requirements would likely depend on the extent to which personal information collected by one APP entity is shared with other APP entities. However, the ALRC also acknowledges that, depending on the steps required, this extension of the proposed privacy principle may introduce additional burdens on APP entities.