REVIEW OF AUSTRALIAN PRIVACY LAW (DP 72, 12 September 2007)

Submission of the

HUMAN RIGHTS AND EQUAL OPPORTUNITY COMMISSION (HREOC)

to the

AUSTRALIAN LAW REFORM COMMISSION (ALRC)

ON THE ALRC’S DISCUSSION PAPER, REVIEW OF AUSTRALIAN PRIVACY LAW (DP 72, 12 September 2007)

20 December 2007

Human Rights and Equal Opportunity Commission

Level 8, 133 Castlereagh St

GPO Box 5218

Sydney NSW 2001

Ph. (02) 9284 9600

---

A. INTRODUCTION

1. The Human Rights and Equal Opportunity Commission (HREOC) generally supports the intention of the Australian Law Reform Commission (ALRC) to ensure that the Privacy Act adequately protects every Australian’s right to be free from unlawful and arbitrary interferences with their privacy.  HREOC makes the following submissions about some of the issues raised in DP 72. 

B. SUMMARY OF SUBMISSIONS

1. INDIGENOUS SPECIFIC ISSUES

(a) Amending the Privacy Act to provide protection for the privacy of Indigenous groups – Proposal 1-1

2. HREOC supports the ALRC’s proposal for the development of protocols to protect the privacy of Indigenous and other ethnic groups, rather than the amendment of the Privacy Act to achieve this aim, subject to the following:
   
   1. protocols concerning Indigenous groups should be developed in consultation with a broad range of stakeholders including (in addition to those proposed by the ALRC) at least the following bodies:
      
      1. the Australian Institute of Aboriginal and Torres Strait Islander Studies; and
      2. the Aboriginal and Torres Strait Islander Social Justice Commissioner;
   2. the Privacy Act should be amended to create the option of making any rights or obligations arising under these protocols legally enforceable;
   3. the Office of the Privacy Commissioner (OPC) or other appropriate body develop and provide education for Indigenous communities about privacy laws and any protocols that are developed to deal with protection of the privacy of Indigenous groups.

(b) Use, disclosure and access to personal information (whether relating to a living or a deceased individual) Proposals 3-11, 12-8, 22 and 26-1  

3. HREOC submits that there should be recognition in the Privacy Act of the importance of ensuring that Indigenous people are able to identify their family and/or community. This could be by way of provisions such as:
   
   1. that secondary use and disclosure of personal information (whether the information is about a living or deceased individual) is permissible if the use or disclosure is reasonably necessary to enable an Indigenous person to identify his/her natural family and/or community; and
      
   2. that an agency/organisation is required to provide access to personal information to a person, if that person is seeking the information in order to identify his/her natural family and/or community and that access is reasonably necessary to enable him/her to identify his/her natural family and/or community.

(c) Data security principle in relation to living and deceased individuals – Proposals 3-11 and 25-4

4. The ALRC should clarify that the proposed data security principle will not require the destruction or de-identification of records relating to Indigenous individuals, families or communities or to any children, Indigenous or otherwise, removed from their families for any reasons.

(d) Removal of the present exemption from the Privacy Act that applies to small businesses – Proposal 35

5. HREOC supports the proposed removal of this exemption to better protect the rights of Australians to privacy. Significantly in the context of the Northern Territory National Emergency Response, such an extension is necessary to  provide protection for the privacy of Indigenous persons whose personal information will be given to small businesses – for example, in connection with liquor restrictions, regulation of public computers and ‘income management’ measures.

2. Proposed amendment of the Privacy Act to permit ‘authorised representatives’ to make decisions on behalf of persons with a temporary or permanent incapacity – Proposal 61

6. HREOC supports the proposed inclusion of an alternative decision-making mechanism for adults with impaired decision-making capacity and in particular the proposed test for assessing capacity.  However, HREOC is of the view that the proposed ‘authorised representative’ mechanism will not adequately address the concerns raised by disability advocate groups about the Privacy Act impeding appropriate third parties from accessing information about persons lacking capacity and further consideration needs to be given to this issue.

3.  CREATION OF STATUTORY CAUSE OF ACTION FOR INVASION OF PRIVACY - Proposal 5

7. HREOC supports the creation of a statutory cause of action for breach of privacy as this will, in part, fulfil Australia’s obligation under Article 17 of the International Covenant on Civil and Political Rights (ICCPR)to take positive steps to protect an individual’s right to privacy.  HREOC, however, submits that the ALRC should clarify that:
   
   1. in relation to the public interest defence:
      
      1. it will not operate to protect matters, such as salacious gossip, that are merely of interest to the public but will only protect matters that are of legitimate public concern; and
         
      2. if the breach is of a child’s privacy, when applying the public interest defence, consideration should be given to the best interests of the child;
   2. in relation to both the public interest defence and the defence in respect of disclosures that are privileged under defamation law, these defences should also be available in respect of actions that constitute an invasion of privacy and not be limited to disclosures that constitute an invasion of privacy.

4. Decision-making for persons under the age of 18 years – Proposals 60-1 to 60-6

8. HREOC commends the ALRC for recommending amendments to the Privacy Act that will, in line with Article 12 of the Convention on the Rights of the Child (CRC), allow for children to have greater participation in decision-making in relation to information about themselves.  HREOC, however, submits that the ALRC should consider recommending that the Privacy Act be amended to provide that when an agency, organisation or authorised representative is dealing with personal information about a child they must have regard to the best interests of the child.

5. Submissions about the proposed unified privacy principles (‘the UPPs’) and their impact on HREOC

(a) Proposed principle in relation to unsolicited information – Proposal 2-5

9. HREOC submits that the ALRC should clarify that the proposed principle in relation to collection of unsolicited information does not prohibit an agency from reviewing such information and seeking advice on such information in order to determine whether it is permitted to retain it.

(b) Proposed notification principle – Proposal 20

10. HREOC submits that the notification requirement should not apply to information received by investigative or complaint-handling bodies in the course of their investigation or complaint-handling functions where the agency does not intend to take any steps adverse to the person about whom the information relates.

C. DISCUSSION

1. INDIGENOUS SPECIFIC ISSUES

(a) Amending the Privacy Act to provide protection for the privacy of Indigenous groups – Proposal 1-1

(i) Protection of Indigenous group information

11. In several Australian cases that have considered unauthorised disclosure of Indigenous information, the Courts have accepted evidence that the disclosure potentially undermines the stability of Indigenous communities.1  Accordingly, the protection of Indigenous group information accords with Australia’s obligations under Article 27 of the ICCPR which provides:
    

    In those States in which ethnic, religious or linguistic minorities exist, persons belonging to such minorities shall not be denied the right, in community with the other members of their group, to enjoy their own culture, to profess and practise their own religion, or to use their own language.

    Article 27 creates a positive obligation on States to ensure the survival and continued development of the cultural, religious and social identity of minority groups2, including Indigenous groups.3

12. Whilst some measure of protection of Indigenous group information is offered by various common law and equitable principles (eg. public interest immunity and breach of confidence claims) and by some statutory provisions (eg. the Copyright Act) the protection offered is disparate and not entirely adequate.  There is therefore a need to provide some measure of protection.

13. HREOC supports the development of protocols rather than legislative amendment to provide the necessary protection for the following reasons:
    
    1. protocols offer greater flexibility than legislation – as the range of information that could potentially be protected and the level of protection required will vary it would be difficult to draft a generic set of principles; and
       
    2. there is greater opportunity to consult broadly with stakeholders when developing protocols than is available when preparing legislation.

 

(ii) Consultation

14. The present proposal acknowledges the need for consultation with Indigenous and ethnic groups.  Consultation should take place with the additional bodies referred to in HREOC’s submission (see below) because of their considerable knowledge on Indigenous issues and in particular Indigenous cultural information.

 

(iii) Legal enforceability

15. Finally, the Act should be amended to provide an opportunity for any protocols to be given legal effect to such as through approval by the Privacy Commissioner as a ‘code’ (see Part IIIAA of the Privacy Act, for example).  This will provide greater protection for Indigenous information than the present proposal which does not involve any measure of legal enforceability.

 

(iv) Education

16. Protocols will only be effective if Indigenous communities are educated and made aware of their rights under such protocols.  It is therefore important that any proposal be supported by development and provision of education to Indigenous people about their privacy rights and in particular rights under any protocols that are intended to protect them.

 

(b) Use, disclosure and access to personal information (whether relating to a living or a deceased individual) Proposals 3-11, 12-8, 22, 26-1  

17. Clarification/modification of the proposed principles in relation to use and disclosure and access will ensure that they do not unduly inhibit the ability of Indigenous people to access information needed to identify their natural families or communities. 

18. The right to privacy protected by Article 17 of the ICCPR is not an absolute right.  Article 17 provides:
    1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

    2. Everyone has the right to the protection of the law against such interference or attacks.
       
       Article 17 only prohibits interferences with privacy that are unlawful and arbitrary.  An interference with privacy will not be arbitrary if it is reasonable in all the circumstances.4 

19. In the Bringing them home Report HREOC highlights the need to balance privacy rights against the need to provide Indigenous people with access to information saying:
    

    The need to protect one person's privacy has to weighed against the need to provide another with access to personal information. The refusal to release third party identifying information could deny an Indigenous searcher the opportunity for reunion with his or her family and/or community and access to entitlements for which proof of community connection or Aboriginality generally is required.

20. HREOC goes on to say that whilst the precise details of any access principles would have to be developed further, that as a minimum such principles would have to provide that:
    

    …every searcher must be entitled to personal and family identifying information, including parents' and siblings' names and dates and places of birth, even where disclosure of that information might be thought to infringe third party privacy.

21. The modification of privacy laws in order to ensure the preservation of information required by Indigenous people to identify family and/or communities and to permit disclosure of and access to such information can be seen as reasonable in the circumstances and therefore not an arbitrary or unlawful interference with privacy rights.  As explained below, the use and disclosure and access principles proposed by the ALRC may create an impediment to Indigenous people accessing necessary information and should therefore be clarified to ensure this does not occur.

(i) General use and disclosure principles – Proposal 22

22. In some cases the ALRC’s proposed exceptions to the prohibition on secondary disclosures may permit disclosure of personal information to an Indigenous person that the person needs to identify family and/or communities.  The exceptions may not, however, always permit such disclosures.  As such, and for the reasons given above, the ALRC should clarify that secondary use and disclosure of personal information is permitted if it is done in order to provide an Indigenous person with information he/she requires to identify family and/or community.

(ii) Use and disclosure principle in relation to deceased persons – Proposal 3-11(a)

23. It is unclear whether the ALRC’s proposed use and disclosure principle in relation to information about deceased persons is that:
    
    1. organisations merely consider this issue; or
       

    2. whether this is intended to operate as an exception to the prohibition against secondary uses and disclosures so that an organisation is permitted to use or disclose personal information about a deceased individual if the use or disclosure would not involve an unreasonable use or disclosure of personal information.

24. If it is intended to operate as an exception then HREOC is of the view that organisations would be permitted to disclose personal information about a deceased person to an Indigenous person who is seeking the information in order to identify his/her natural family and/or community.

25. The ALRC should clarify that the principle will permit such secondary uses and disclosures instead of simply requiring consideration to be given to whether a use or disclosure would involve an unreasonable use or disclosure.  This would ensure organisations can disclose personal information about a deceased person to a third person who is seeking the information in order to identify his/her natural family and/or community.

(iii) Access principles in respect of personal information concerning living and deceased individuals – Proposal 3-11(b), 12-8 and 26-1

26. The ALRC has not yet precisely formulated the access principle in relation to personal information about a living individual held by agencies or organisations so it is not possible to conclude whether it will ensure that Indigenous persons can obtain access to information that they need in order to identify their natural family or community.

27. In relation to access to information about a deceased individual the ALRC has recommended that any access principle require an organisation to consider whether provision of access would have an unreasonable impact on the privacy of other individuals, including the deceased.  The application of this proposed principle may impede the ability of Indigenous persons to access information about their natural family or community as access may be considered to involve an unreasonable impact on the privacy of others.

28. In accordance with the recommendation made by HREOC in the Bringing them home Report referred to at [19] above, when formulating any recommendations about access principles the ALRC needs to ensure that agencies and organisations will be required to provide Indigenous persons with access to information that they need to identify their natural family and/or community even if this involves an infringement of a third party’s privacy.

 

(c) Data security principle in relation to living and deceased individuals – proposals 3-11 and 25-4

29. The application of the data security principle proposed by the ALRC may result in the destruction or interference with records about Indigenous people needed to identify their family and/or community.  The principle should therefore be modified to prevent this from occurring to accord with Recommendation 21 made by HREOC in its Bringing them home Report, namely:
    

    That no records relating to Indigenous individuals, families or communities or to any children, Indigenous or otherwise, removed from their families for any reason, whether held by government or non-government agencies, be destroyed.

 

(d) Removal of the present exemption from the Privacy Act that applies to small businesses – Proposal 35

30. In a submission by the OPC to the Senate Standing Committee on Legal and Constitutional Affairs on the Inquiry into the Northern Territory National Emergency Response legislation, the OPC submitted that the changes introduced by that legislation may create a gap in the protection provided to personal information and there was a need to address this gap.  In particular the OPC’s submission highlighted that the changes introduced by:
    
    1. the Northern Territory National Emergency Response Act 2007 (Cth) in relation to the sale of liquor and use of publicly funded computers; and
    2. the Social Security and Other Legislation Amendment (Welfare Payment Reform) Act 2007(Cth) which relates to income management and child protection matters,
       will involve the collection, use and disclosure of personal information and that many of the organisations that will receive the information are likely to fall within the small business exception.  This means that Indigenous people may have no legal redress in respect of unauthorised disclosures or uses of their personal information collected under the above Acts.  One way of addressing this gap in privacy protection is to remove the exemption applicable to small businesses.

 

2. Proposed amendment of the Privacy Act to permit ‘authorised representatives’ to make decisions on behalf of persons with a temporary or permanent incapacity – Proposal 61­‑1 and 61-2

31. Given the concerns identified in submissions received by the ALRC on this issue by disability advocate groups, HREOC submits that any alternative decision-making regime needs to ensure that:
    
    1. it will be easy for front-line staff to determine whether a person can exercise a right under the Privacy Act on behalf of another; and
       
    2. the mechanism created does not leave the person with an incapacity vulnerable to abuse; and
       

    3. enables advocates who are not formally legally appointed to exercise rights under the Privacy Act on behalf of an individual for whom they advocate.

32. The ALRC proposal does not, in HREOC’s view, achieve these aims because of the following problems with the proposed definition of ‘authorised representative’:

    1. The definition will not easily enable front-line staff to determine whether someone is an ‘authorised representative’.

    Proposed paragraph (d) of the definition of ‘authorised representative’ will not be easy for frontline staff to apply.  Paragraph (d) will require frontline staff (who are not legally trained) to determine whether a person is ‘otherwise empowered under law to perform any functions or duties as agent or in the best interests of the individual’.  The wording of this paragraph is quite legalistic and may be difficult for people who are not legally trained to apply.

    2. It will still leave individuals vulnerable to abuse for the following reasons:
       
       1. Paragraph (d) of the proposed definition may, perhaps unintentionally, authorise persons to exercise rights under the Privacy Act that are unrelated in any way to the function or duty that they are empowered under law to perform in relation to the individual.  This result flows from:
          • the broad terms of the proposed paragraph (d) of the definition of ‘authorised representative’, in that the function or duty is any function or duty and is not limited to functions or duties that are related to the right under the Privacy Act that the person is seeking to exercise; and
          • the limited nature of the proposed restriction on an authorised representative’s powers.

       2. If a family member, spouse or friend is a ‘person responsible’ under Part 5 of the NSW Guardianship Act 1987 they will fall within paragraph (d) of the proposed definition of ‘authorised representative’.  This is potentially of concern because the Office of the Public Advocate noted that in most cases perpetrators of abuse of older people are in most cases family member of person in a position of duty of care in relation to the older person.

    3. The proposed definition will not always permit advocates acting on behalf of an individual pursuant to an informal arrangement to make decisions under the Privacy Act. 

33. The above concerns cannot be remedied simply by removing paragraph (d) from the definition of ‘authorised representative’ because the remaining paragraphs of the definition only cover a limited range of advocates who are appointed pursuant to a formal legal instrument and there will be several people with disabilities who will therefore not have an authorised representative.

34. Given the above concerns HREOC submits that the ALRC should consider whether the ‘authorised representative’ mechanism is the best one in the circumstances and may wish to consult further with interested parties on this issue.

 

3. Protection of a right to personal privacy – Proposal 5

35. Although the creation of the proposed tort of invasion of privacy will ensure that the right to privacy is protected, it may also interfere with the right to freedom of expression recognised under Article 19(2) of the ICCPR.  Article 19(2) and (3) provides:
    

    …

    2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.

    3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary:

    (a) For respect of the rights or reputations of others;
    

    (b) For the protection of national security or of public order (ordre public), or of public health or morals.
    

    Neither the right to privacy nor the right to freedom of expression are absolute rights.  Article 17 only protects persons from interferences with their privacy that are ‘arbitrary’ and ‘unlawful’ and Article 19 permits interferences with the right to freedom of expression that are necessary to respect other rights, which would include the right to privacy.  Any statutory cause of action for invasion of privacy therefore needs to ensure that the right balance is struck between these two competing rights.  Bearing this in mind HREOC submits as follows.       

(a) Public interest defence

(i) Clarifying the term ‘public interest’      

36. The proposed defence would protect disclosures that are ‘a matter of public interest’.  There is a possibility that the proposed wording of the defence may be interpreted as extending protection to any matter that the public is interested in such as salacious gossip.  Such a possibility could be avoided by any legislation explicitly stating that merely because a matter is of interest to the public (such as salacious gossip) it does not follow that it would be considered to be a ‘matter of public interest’ and that to qualify for protection the matter must be of legitimate public concern.

37. It is important to clarify this issue as too broad an interpretation of the public interest defence would permit arbitrary interferences with privacy which would be in breach of Article 17 of the ICCPR and go beyond what is necessary to protect the right to freedom of expression.  Further, clarification would ensure that the public interest defence is applied in a similar way to the manner in which it is applied in overseas jurisdictions that have a public interest defence to actions for invasion of privacy.5

 

(ii) Best interests of the child

38. The proposed public interest defence will require a court to weigh the public interest in disclosure against a person’s right to privacy.  Article 3(1) of the Convention on the Rights of the Child (‘CRC’) provides:
    

    In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration.

    In accordance with Article 3 of the CRC, in cases involving an alleged invasion of a child’s privacy, consideration should also be given to the best interests of the child.

 

(iii)    Extending the public interest defence and the defence in relation to information that is, under the law of defamation, privileged to ‘acts’

39. The wording of the ALRC’s proposal in relation to these defences suggests that they will only be available if the invasion of privacy involves a disclosure, but will not be available if the invasion of privacy involves an act.  The reason for including a public interest defence and a defence in relation to information that is privileged under defamation law is in order to ensure that actions for invasion of privacy do not unduly restrict freedom of expression.  If these defences are not extended to protecting actions that may constitute an invasion of privacy then the proposed cause of action may unduly restrict freedom of expression.  Given that the proposed cause of action will apply to both actions and disclosures, any defences should extend to both.

 

4. Decision-making for persons under the age of 18 years – Proposal 60-1 to 60-6

40. The ALRC’s proposals in relation to privacy principles do not require either organisations or agencies or authorised representatives to have regard to the best interest of children when dealing with information about children.  Given that the privacy principles will apply to very sensitive information such as information disclosed by children to medical practitioners and counsellors it is important to ensure that regard is had to the best interests of children.  Further, a requirement that regard be had to the best interests of children when dealing with information about children will accord with Australia’s obligations under Article 3 of CRC.

 

5. Application of the proposed amendments to HREOC

(a) Proposed principle in relation to unsolicited information – Proposal 2-5

41. The present wording of the proposed principle could be taken to suggest that an agency or organisation must destroy information before even considering whether it is permitted to retain it or seeking legal advice on whether it is permitted to retain it as both of these may constitute use of the information.  It might be useful to clarify this issue.

 

(b) Proposed notification requirement – Proposal 20

42. For the reasons given below, HREOC is concerned that the proposed notification principle may impede the ability of HREOC to discharge its functions under:
    
    1. Sub-section 11(1)(aa) of the Human Rights and Equal Opportunity Commission Act 1986 (Cth) (HREOCA) – to inquire into, and attempt to conciliate, complaints of unlawful discrimination; and
    2. Sub-section 11(1)(f)(i) of HREOCA – to endeavour, by conciliation, to effect a settlement of matters arising in an inquiry into an act or practice that may be inconsistent with or contrary to a human right.           

These complaints and inquiries are investigated and conciliated by the Complaint Handling Section (CHS) of HREOC.

43. At present, in the following situations, the CHS does not ordinarily make an individual aware of receipt of personal information:

    1. Where they are named as a respondent or third party in written or e-mail correspondence to HREOC and this correspondence does not constitute a complaint under the HREOCA. Written information that does not constitute a complaint is classified as an ‘enquiry’.  In 2006-2007 the CHS received approximately 2,400 written/e-mail ‘enquiries’.

    2. Where a complaint or response to a complaint includes personal information about third parties but the CHS does not intend to contact these third parties as part of the investigation process.

    3. Where the complaint or response contains personal information about a complainant or respondent that is considered irrelevant to the investigation of the complaint.

44. In all of the above situations, the individual about whom the information relates is not notified of receipt of the material because HREOC is not proposing to make any finding or take any step adverse to the individual’s interest.

45. Under the ALRC’s proposed notification principle the CHS would have to make the requisite notification in the above situations if a ‘reasonable person’ would expect it.  Arguments could be made either way as to whether in the above situations a ‘reasonable person’ would expect to receive the requisite notification so it is not entirely clear whether the notification requirement would apply. 

46. If notification was required in the situations described above it would have the following adverse consequences:
    
    1. Notification may impede the ability of HREOC to successfully conciliate complaints – in some cases, disclosure of disparaging comments made by the other party that are unrelated to the complaint may adversely impact on the other party’s willingness to cooperate.
    2. Providing notifications may result in the imposition of an unreasonable administrative burden on the CHS.  Apart from the administrative burden associated with making the requisite notifications, the notifications are likely to generate other inquiries from the individual that the CHS will have to respond to.

    3. Notification may generate further disputes.

47. In order to avoid any uncertainty and to ensure that the notification requirements do not impose an undue burden on the CHS, the ALRC should clarify the operation of this principle in the manner recommended in the submission below. 

 

Human Rights and Equal Opportunity Commission

20 December 2007

---

Footnotes

[1] Foster v Mountford Rigby Ltd (1976) 14 ALR 71; Milpurrurru, Marika, Payunka & Public Trustee for the Northern Territory v Indofurn Pty Ltd, Bethune, King & Rylands (1994) 54 FCR 240.

[2] See Human Rights Committee General Comment 23 at [9].

[3] See Human Rights Committee General Comment 23, paragraphs 3.2 [24.02] and 7 [24.22].  Also see Sandra Lovelace HRComm No. 24/1977; Mahuika v New Zealand HRComm No 547/1993 in which members of Indigenous groups alleged their rights had been violated under Article 27.

[4] See Human Rights Committee General Comment 16, [4] and Tonnen v Australia HRComm No. 488/92 at [8.3].

[5] Hosking v Runting [2005] 1 NZLR 1