Future – Privacy Laws – implications for schools

We aim to deliver Just, Redemptive Outcomes®

A paper presented on 20 February 2009 at the

Christian Schools Australia (Queensland) Industrial Relations Conference

Background

 

The law poses different duties on all people.  It is a truism that the duties imposed on the modern school are various and onerous.  There is perhaps no more onerous duty imposed under the common law than the duty imposed on adults, particularly educators, who have the care of children.  Apart from duties of care to children, schools owe various duties to employees under industrial relations or work place health and safety legislation, duties to the Australian Tax Office to properly assess eligibility for tax concession charity status, duties to parents under enrolment contracts.

 

Although I have found that schools have taken all their legal duties seriously, privacy law is perhaps one that occupies lesser attention than others

 

Unlike most of us here, there are some people who clearly get excited about privacy law.

 

Following two year review of privacy laws, in August 2008, the Australian Law Reform Commission released its report on the Privacy Act 1998 (Cth), titled “For your information”.  The report is comprehensive – 2700 pages, contained over three volumes!  The Commission has made 295 separate recommendations.  I might just note that the Privacy Act itself contains only about 200 sections spread over 260 pages.

 

At the time of launching the report, Senator Faulkner, noting its complexity, indicated that the Government intended to consider the report in two stages, with draft legislation being introduced into Parliament in respect of the first stage within about 12 – 18 months.  I am not aware of the progress being made to draft the legislation; but, having regard to the global financial crisis which has occupied attention since September 2008, I can only hazard a guess that any privacy law reform might be on the backburner.

 

Before discussing some of the proposed changes, I just want to go through some of the basics of current privacy laws.

 

Privacy Law 101

 

  • It is mandatory for most schools to comply with the 10 National Privacy Principles (NPPs);
  • The NPPS set minimum standards for the collection, use, access, and disclosure of personal information (amongst other things);
  • Personal information” is information or an opinion about an individual which is recorded in such a way as to allow the identification of the individual that the information or opinion is about;
  • Sensitive information” is a type of personal information, and includes information about ethnic origin, political opinions, sexual preferences, criminal records and health information.
  • Health information” is a special type of sensitive information.
  • Schools typically collect a large amount of personal, sensitive and health information about students, parents and staff.  For example:

 

o           Students: name, birth certificate, names of doctors, school reports, race, religion, and medical reports;

 

o           Parents: name, marital status, race, religion; and

 

o           Staff: education, tax file numbers, educational qualifications, job references, race and religion.

 

Use and Disclosure

 

One of the most difficult of the privacy principles to apply is NPP2 – Use and Disclosure.

 

The general position is that personal information can only be disclosed for its primary purpose unless one of the stated exemptions applies.  Some of the circumstances in which a School can use or disclose information include:

 

(a)               Reasonable Expectation: the secondary purpose is related to primary purpose of collection and the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose (where the information is sensitive information, the use or disclosure must be directly related to the primary purpose of collection);

 

[NOTE: no proposed change]

 

(b)               Consent of individual

 

[NOTE: no proposed change; HOWEVER, consider the need for older students, rather than parents, to consent to disclosure]

 

(c)               Serious and imminent threat: the organisation reasonably believes the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual life, health or safety

 

[NOTE: Proposed change from “serious and imminent threat” to “serious threat” only.]

 

(d)               Suspected unlawful activity: where the organisation has reason to suspect unlawful activity has been, is being or may be engaged, the organisation may use or disclose the personal information as a necessary part of its investigation or in the reporting to relevant persons or authorities;

 

[NOTE: no proposed change]

 

(e)               Required or authorised by law.

 

[NOTE: Proposed reform includes defining “law” to include “a duty of confidentiality under common law or equity”.]

 

To illustrate circumstances in which Schools may seek to disclose personal information for a secondary purpose, consider school reports.  The primary purpose of the collection of the information would be to provide information on the progress of a student.  A secondary purpose would be to inform parents on the progress of the student.  A school would ordinarily be able to rely on (a) above in providing the report to parents because the student would reasonably expect the disclosure to parents.

 

The reality is most information that schools collect in relation to a student will be able to be disclosed to parents on the basis that the student would reasonably expect the disclosure.

 

Decision making by and for children

 

Probably some of the most important recommendations made by the ALRC, relevant to schools, relate to the decision making role for children in privacy related matters. 

 

At what age can a child make a decisions:

 

  • Consenting to the collection of sensitive information?

 

  • Consenting to use or disclosure of personal information?

 

  • Requesting access to personal information?

 

  • To make complaints against an organisation?

 

The Privacy Act sets no minimum age at which an individual can make decisions on his or her own behalf.  The Guidelines to the NPPs suggest that each case is to be considered individually.  The general principle is that a young person (including a minor) is able to give consent “when he or she has sufficient understanding and maturity to understand what is being proposed”.  This is similar to the formula adopted by the High Court in Re Marion (a medical consent case).

 

Importantly, this is a statement of current law and not proposed future law.  Schools currently have duties to consult older students now irrespective of future proposed reforms.

 

It is perhaps a fair comment that most private schools would prefer the decision making role on privacy matters to rest with parents of children under the age of majority.  In their joint submission to the ALRC, the Independent Schools Council of Australia and National Catholic Education Commission noted on the issue, “The School has to consider the rights and expectations of the parent or parents, who are paying the bills and have legitimate interests as parents …”

 

The Commission noted that concerns had been raised:

 

·          of private schools contracting away a student’s right to privacy in a standard form agreement with fee paying parents”;

 

·          “intrusive practices that breach privacy, sometimes supported by school policies; and

 

·          The need for stronger sanctions for schools failing to adhere to privacy laws”.

 

There are quite strong pejorative tones to those statements, and is probably reflected by a growing segment of society which is vocally calling for an increase in the rights of children.

 

The reforms proposed by the ALRC are themselves probably reflective of the shift towards an increase in the “rights of children”.  This will lead to greater uncertainty for schools when dealing with older students on privacy related issues.

 

Some proposed child-related changes

 

 

Recommendation 68-1         The Privacy Act should be amended to provide that where it is reasonable and practicable to make an assessment of the capacity of an individual under the age of 18 to give consent, make a request, or exercise a right under the Act, an assessment about the individual’s capacity should be undertaken.  Where an assessment of capacity is not reasonable or practicable, then an individual:

(a)                 aged 15 or over is presumed to be capable of giving consent, making a request or exercising a right of access;

(b)                 under the age of 15 is presumed to be incapable of giving consent, making a recommendation or exercising a right of access.

 

Recommendation 68-2         The Privacy Act should be amended to provide that where an individual under the age of 18 is assessed or presumed to not have capacity under the Act, any consent, request or exercise of a right in relation to that individual must be made by a person with parental responsibility for the individual.

 

 

In most cases, schools will be in a position to make an assessment of the capacity of an individual.  Whilst it is helpful that the ALRC has not set an arbitrary age for the privacy decision-making capacity of children where an assessment of understanding and maturity can be conducted, it is suggested that the nomination of the age of 15 in circumstances where an assessment cannot be made, could very well become a de facto age of presumed privacy decision making capacity.

 

The proposition that students may have various privacy rights to:

 

  • Withhold consent to some personal or sensitive information being disclosed to parents (or some staff members);

 

  • Requesting access to their personal files and demanding corrections; and

 

  • Making complaints against schools who breach their privacy

 

is probably a worrying trend for schools.

 

Illustration: In A v Private School [2008] PrivCmrA 1, the Privacy Commissioner was required to adjudicate a complaint made by a student against a private school that refused to provide access to personal information. The student had been asked to leave the school following an investigation.  The school refused the student access to the documents comprising the investigation on the basis that this would disclose the private information of the parties who had made complaints about the student.  These individuals had a fear of retribution if their identity was disclosed.  In this case the Privacy Commissioner upheld the right of the school to withhold access, but only after the school was required to defend the complaint.

 

 

Recommendation 69-1         Schools subject to the Privacy Policy should clarify in their Privacy Policies how the personal information of students will be handled, including when personal information:

(a)                 will be disclosed to, or withheld from, persons with parental responsibility and other representatives; and

(b)                 collected by school counsellors will be disclosed to school management, persons with parental responsibility, or others.

 

 

Importantly, this is not a recommendation of proposed future reform, but of action that schools ought to take immediately under current laws. 

 

One area of particular concern raised by the Commission was the extent to which, if at all, information collected by school counsellors, ought to be disclosed to school management and then parents.  The Commission noted, as a generalisation, school counsellors desired greater confidentiality in relation to their communications with students, whilst school management and parents wanted greater disclosure.  It was submitted on behalf of the Independent Schools Council of Australia and National Catholic Education Commission that school counsellors ought to be under a duty to inform the school principal if the counsellor became aware of information that might affect the health or wellbeing of the student and the information was relevant to the school performing its contractual duties to provide schooling.

 

It is highly recommended that schools audit their current privacy policies with a particular view to making clear what personal information collected by the schools is intended to be disclosed to both parents and other parties.   When auditing these policies, schools need to specifically consider the potential for older students wishing to have decision-making power on privacy matters.

 

I would expect most schools would wish to draft their privacy policies so that privacy decision-making rested predominately with parents.  However, in its report, the ALRC noted that it has “particular concerns about suggestions that some schools assume that contracts between parents and a school displace the privacy rights of the student.  The Privacy Policy must be consistent with the law – and in particular privacy principles and the Privacy Act”.

 

Essentially, in the opinion of the Commission, many school privacy policies do not themselves presently comply with the NPPs.  If and when the proposed reforms are enacted, it can only be assumed that the risk for non-compliance will increase.

 

Some other proposed changes to privacy laws

 

  • Uniform Privacy Principles: It is proposed to replace the 10 NPPs with 11 Uniform Privacy Principles (see appendixfor table comparing NPPs and UPPs);

 

  • Access: In addition to having duties to correct personal information which is not accurate, complete and up-to-date, organisations are required to correct misleading information and remove irrelevant information;

 

  • Direct Marketing: There are rules for direct marketing, including specific rules for children under the age of 15 (schools will need to consider direct marketing rules including for fundraising etc);

 

  • Civil liability: Introduction of a statutory cause of action for a serious breach of privacy.  Currently there is no recognised cause of action in Australia for invasion of privacy.  The potential for schools to be sued (distinct from complaints made to the Privacy Commission) by disgruntled students, parents or staff is likely to be an unwanted incursion for school management.

 

Concluding remarks

 

The proposed reforms to privacy laws would appear to suggest an increasing need in the future for schools to engage with their older students on privacy related issues.  As a result of this trend, one might expect there to be increasing tension between the wishes of a student and the parent in relation to use and disclosure of personal information.

 

Irrespective of if or when the proposed reforms are enacted, it is the opinion of the ALRC that many schools are already running rough shod over the privacy rights of students.  The ALRC implores schools to immediately review their policies and to draft them in accordance with privacy laws.

 

I must say that, I have always found schools I deal with at Corney & Lind to have held the privacy of students, parents and staff in the highest regard.  In dealing with privacy matters, most schools seem concerned to ensure they deal with students, parents and teachers in the Christian spirit of fairness, grace, transparency and respect.  These are precisely the types of qualities which should underpin the successful implementation and application of a privacy policy.

 

APPENDIX

COMPARISON UNIFIED PRIVACY PRINCIPLES & NATIONAL PRIVACY PRINCIPLES

 

UNIFIED PRIVACY PRINCIPLES

NATIONAL PRIVACY PRINCIPLES

UPP1 – ANONYMITY AND PSEUDONYMITY

Wherever it is lawful and practicable in the circumstances, agencies and organisations must give individualsthe clear option of interacting by either:

(a)        not identifying themselves; or

(b)        identifying themselves with a pseudonym.

NPP8 – ANONYMITY

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

 

UPP2 – COLLECTION

2.1       An agency or organisation must not collect personal information unless it is necessary for one or more of its functions or activities.

2.2       An agency or organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

2.3       If it is reasonable and practicable to do so, an agency or organisation must collect personal information about an individual only from that individual.

2.4       If an agency or organisation receives unsolicited personal information about an individual from someone else, it must either:

(a)        if lawful and reasonable to do so, destroy the information as soon as practicable without using or disclosing it except for the purpose of determining whether the information should be retained; or

(b)        comply with all relevant provisions in the UPPs that apply to the information in question, as if the agency or organisation had actively collected the information.

2.5       In addition to the other requirements in UPP 2, an agency or organisation must not collect sensitive information about an individual unless:

(a)        the individual has consented;

(b)        the collection is required or authorised by or under law;

(c)        the collection is necessary to prevent or lessen a serious threat to the life or health of any individual, where the individual to whom the information concerns is legally or physically incapable of giving or communicating consent;

(d)        if the information is collected in the course of the activities of a non-profit organisation—the following conditions are satisfied:

(i)         the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities; and

(ii)        at or before the time of collecting the information, the organisation undertakes to the individual to whom the information concerns that the organisation will not disclose the information without the individual’s consent;

(e)        the collection is necessary for the establishment, exercise or defence of a legal or equitable claim;

(f)         the collection is necessary for research and all of the following conditions are met:

(i)         the purpose cannot be served by the collection of information that does not identify the individual or from which the individual would not be reasonably identifiable;

(ii)        it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the collection;

(iii)       a Human Research Ethics Committee that is constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research (2007), as in force from time to time, has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act; and

(iv)       the information is collected in accordance with Research Rules issued by the Privacy Commissioner; or

(g)        the collection is necessary for the purpose of a confidential alternative dispute resolution process.

2.6       Where an agency or organisation collects sensitive information about an individual in accordance with 2.5(f), it must take reasonable steps to ensure that the information is not disclosed in a form that would identify the individual or from which the individual would be reasonably identifiable.

Note:                Agencies and organisations that collect personal information about an individual from an individual or from someone else must comply with UPP 3.

NPP1 – COLLECTION

1.1       An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.

1.2       An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

1.3       At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

(a)        the identity of the organisation and how to contact it; and

(b)        the fact that he or she is able to gain access to the information; and

(c)        the purposes for which the information is collected; and

(d)        the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and

(e)        any law that requires the particular information to be collected; and

(f)         the main consequences (if any) for the individual if all or part of the information is not provided.

1.4       If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

1.5       If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

 

UPP3 – NOTIFICATION

At or before the time (or, if that is not practicable, as soon as practicable after) an agency or organisation collects personal information about an individual from the individual or from someone other than the individual, it must take such steps, if any, as are reasonable in the circumstances to notify the individual, or otherwise ensure that the individual is aware of, the:

(a)        fact and circumstances of collection, where the individual may not be aware that his or her personal information has been collected;

(b)        identity and contact details of the agency or organisation;

(c)        rights of access to, and correction of, personal information provided by these principles;

(d)        purposes for which the information is collected;

(e)        main consequences of not providing the information;

(f)         actual or types of organisations, agencies, entities or other persons to whom the agency or organisation usually discloses personal information of the kind collected;

(g)        fact that the avenues of complaint available to the individual if he or she has a complaint about the collection or handling of his or her personal information are set out in the agency’s or organisation’s Privacy Policy; and

(h)        fact, where applicable, that the collection is required or authorised by or under law.

 

UPP4 – OPENNESS

4.1       An agency or organisation must create a Privacy Policy that sets out clearly its expressed policies on the management of personal information, including how it collects, holds, uses and discloses personal information. This document should also outline the:

(a)        sort of personal information the agency or organisation holds;

(b)        purposes for which personal information is held;

(c)        avenues of complaint available to individuals in the event that they have a privacy complaint;

(d)        steps individuals may take to gain access to personal information about them held by the agency or organisation; and

(e)        whether personal information is likely to be transferred outside Australia and the countries to which such information is likely to be transferred.

4.2       An agency or organisation should take reasonable steps to make its Privacy Policy available without charge to an individual:

(a)        electronically; and

(b)        on request, in hard copy, or in an alternative form accessible to individuals with special needs.

NPP5 – OPENNESS

5.1       An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.

5.2       On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

 

UPP5 – USE AND DISCLOSURE

5.1       An agency or organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection (the secondary purpose) unless:

(a)        both of the following apply:

(i)         the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; and

(ii)        the individual would reasonably expect the agency or organisation to use or disclose the information for the secondary purpose;

(b)        the individual has consented to the use or disclosure;

(c)        the agency or organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to:

(i)         an individual’s life, health or safety; or

(ii)        public health or public safety;

(d)        the agency or organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities;

(e)        the use or disclosure is required or authorised by or under law;

(f)         the agency or organisation reasonably believes that the use or disclosure is necessary for one or more of the following by or on behalf of an enforcement body:

(i)         the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(ii)        the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii)       the protection of the public revenue;

(iv)       the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v)        the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal;

(g)        the use or disclosure is necessary for research and all of the following conditions are met:

(i)         it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the use or disclosure;

(ii)        a Human Research Ethics Committee that is constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research (2007), as in force from time to time, has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act;

(iii)       the information is used or disclosed in accordance with Research Rules issued by the Privacy Commissioner; and

(iv)       in the case of disclosure—the agency or organisation reasonably believes that the recipient of the personal information will not disclose the information in a form that would identify the individual or from which the individual would be reasonably identifiable; or

(h)        the use or disclosure is necessary for the purpose of a confidential alternative dispute resolution process.

5.2       If an agency or organisation uses or discloses personal information under paragraph 5.1(f) it must make a written note of the use or disclosure.

5.3       UPP 5.1 operates in respect of personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.

Note 1:It is not intended to deter organisations from lawfully cooperating with agencies performing law enforcement functions in the performance of their functions.

Note 2:            Subclause 5.1 does not override any existing obligations not to disclose personal information. Nothing in subclause 5.1 requires an agency or organisation to disclose personal information; an agency or organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.

Note 3:            Agencies and organisations also are subject to the requirements of the ‘Cross-border Data Flows’ principle when transferring personal information about an individual to a recipient who is outside Australia.

 

NPP2 – USE AND DISCLOSURE

2.1       An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:

    (a)           both of the following apply:

(i)         the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;

(ii)        the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or

(b)        the individual has consented to the use or disclosure; or

(c)        if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:

(i)         it is impracticable for the organisation to seek the individual’s consent before that particular use; and

(ii)        the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and

(iii)       the individual has not made a request to the organisation not to receive direct marketing communications; and

(iv)       in each direct marketing communication with the individual, the organisation draws to the individual’s attention, or prominently displays a notice, that he or she may express a wish not to receive any further direct marketing communications; and

(v)        each written direct marketing communication by the organisation with the individual (up to and including the communication that involves the use) sets out the organisation’s business address and telephone number and, if the communication with the individual is made by fax, telex or other electronic means, a number or address at which the organisation can be directly contacted electronically; or

(d)        if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:

(i)         it is impracticable for the organisation to seek the individual’s consent before the use or disclosure; and

(ii)        the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and

(iii)       in the case of disclosure—the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or

(e)        the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:

(i)         a serious and imminent threat to an individual’s life, health or safety; or

(ii)        a serious threat to public health or public safety; or

(ea)     if the information is genetic information and the organisation has obtained the genetic information in the course of providing a health service to the individual:

(i)         the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of an individual who is a genetic relative of the individual to whom the genetic information relates; and

(ii)        the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95AA for the purposes of this subparagraph; and

(iii)       in the case of disclosure—the recipient of the genetic information is a genetic relative of the individual; or

(f)         the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

(g)        the use or disclosure is required or authorised by or under law; or

(h)        the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

(i)         the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(ii)        the enforcement of laws relating to the confiscation of the proceeds of crime;

(iii)       the protection of the public revenue;

(iv)       the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

(v)        the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Note 1:       It is not intended to deter organisations from lawfully co‑operating with agencies performing law enforcement functions in the performance of their functions.

Note 2:       Subclause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.

Note 3:       An organisation is also subject to the requirements of National Privacy Principle 9 if it transfers personal information to a person in a foreign country.

2.2       If an organisation uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.

2.3       Subclause 2.1 operates in relation to personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.

2.4       Despite subclause 2.1, an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:

(a)        the individual:

(i)         is physically or legally incapable of giving consent to the disclosure; or

(ii)        physically cannot communicate consent to the disclosure; and

(b)        a natural person (the carer) providing the health service for the organisation is satisfied that either:

(i)         the disclosure is necessary to provide appropriate care or treatment of the individual; or

(ii)        the disclosure is made for compassionate reasons; and

(c)        the disclosure is not contrary to any wish:

(i)         expressed by the individual before the individual became unable to give or communicate consent; and

(ii)        of which the carer is aware, or of which the carer could reasonably be expected to be aware; and

(d)        the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).

2.5       For the purposes of subclause 2.4, a person is responsible for an individual if the person is:

(a)        a parent of the individual; or

(b)        a child or sibling of the individual and at least 18 years old; or

(c)        a spouse or de facto spouse of the individual; or

(d)        a relative of the individual, at least 18 years old and a member of the individual’s household; or

(e)        a guardian of the individual; or

(f)         exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or

(g)        a person who has an intimate personal relationship with the individual; or

(h)        a person nominated by the individual to be contacted in case of emergency.

2.6       In subclause 2.5:

child of an individual includes an adopted child, a step‑child and a foster‑child, of the individual.

parent of an individual includes a step‑parent, adoptive parent and a foster‑parent, of the individual.

relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.

sibling of an individual includes a half‑brother, half‑sister, adoptive brother, adoptive sister, step‑brother, step‑sister, foster‑brother and foster‑sister, of the individual.

 

UPP6 – DIRECT MARKETING (ONLY APPLICABLE TO ORGANISATIONS)

6.1       An organisation may use or disclose personal information about an individual who is an existing customer aged 15 years or over for the purpose of direct marketing only where the:

(a)        individual would reasonably expect the organisation to use or disclose the information for the purpose of direct marketing; and

(b)        organisation provides a simple and functional means by which the individual may advise the organisation that he or she does not wish to receive any further direct marketing communications.

6.2       An organisation may use or disclose personal information about an individual who is not an existing customer or is under 15 years of age for the purpose of direct marketing only in the following circumstances:

(a)        either the:

(i)         individual has consented; or

(ii)        information is not sensitive information and it is impracticable for the organisation to seek the individual’s consent before that particular use or disclosure;

(b)        in each direct marketing communication, the organisation draws to the individual’s attention, or prominently displays a notice advising the individual, that he or she may express a wish not to receive any further direct marketing communications;

(c)        the organisation provides a simple and functional means by which the individual may advise the organisation that he or she does not wish to receive any further direct marketing communications; and

(d)        if requested by the individual, the organisation must, where reasonable and practicable, advise the individual of the source from which it acquired the individual’s personal information.

6.3       In the event that an individual makes a request of an organisation not to receive any further direct marketing communications, the organisation must:

(a)        comply with this requirement within a reasonable period of time; and

(b)        not charge the individual for giving effect to the request.

 

 

UPP7 – DATA QUALITY

An agency or organisation must take reasonable steps to make certain that the personal information it collects, uses or discloses is, with reference to the purpose of that collection, use or disclosure, accurate, complete, up-to-date and relevant.

 

NPP3 – DATA QUALITY

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up‑to‑date.

UPP8 – DATA SECURITY

8.1       An agency or organisation must take reasonable steps to:

(a)        protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure; and

(b)        destroy or render non-identifiable personal information if it is no longer needed for any purpose for which it can be used or disclosed under the UPPs and retention is not required or authorised by or under law.

8.2       The requirement to destroy or render non-identifiable personal information is not ‘required by law’ for the purposes of the Archives Act 1983 (Cth).

Note:                Agencies and organisations also should be aware of their obligations under the data breach notification provisions.

 

NPP4 – DATA SECURITY

4.1       An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

4.2       An organisation must take reasonable steps to destroy or permanently de‑identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.

 

UPP9 – ACCESS AND CORRECTION

9.1       If an agency ororganisation holds personal information about an individual and the individual requests access to the information, it must respond within a reasonable time and provide the individual with access to the information, except to the extent that:

Where the information is held by an agency:

(a)        the agency is required or authorised to refuse to provide the individual with access to that personal information under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents; or

Where the information is held by an organisation:

(b)        providing access would be reasonably likely to pose a serious threat to the life or health of any individual;

(c)        providing access would have an unreasonable impact upon the privacy of individuals other than the individual requesting access;

(d)        the request for access is frivolous or vexatious;

(e)        the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings;

(f)         providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations;

(g)        providing access would be unlawful;

(h)        denying access is required or authorised by or under law;

(i)         providing access would be likely to prejudice an investigation of possible unlawful activity;

(j)         providing access would be likely to prejudice the:

(i)         prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(ii)        enforcement of laws relating to the confiscation of the proceeds of crime;

(iii)       protection of the public revenue;

(iv)       prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v)        preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;

            by or on behalf of an enforcement body; or

(k)        an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

9.2       Where providing access would reveal evaluative information generated within the agency ororganisation in connection with a commercially sensitive decision-making process, the agency ororganisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

Note:                The mere fact that some explanation may be necessary in order to understand information should not be taken as grounds for withholding information under UPP 9.2.

9.3       If an agency or organisation is not required to provide an individual with access to his or her personal information it must take such steps, if any, as are reasonable to provide the individual with as much of the information as possible, including through the use of a mutually agreed intermediary.

9.4       If an organisation charges for providing access to personal information, those charges:

(a)        must not be excessive; and

(b)        must not apply to lodging a request for access.

Note:                Agencies are not permitted to charge for providing access to personal information under UPP 9.4.

9.5       An agency or organisation must provide personal information in the manner requested by an individual, where reasonable and practicable.

9.6       If an agency or organisation holds personal information about an individual that is, with reference to a purpose for which it is held, misleading ornot accurate, complete, up-to-date and relevant, the agency or organisation must take such steps, if any, as arereasonable to:

(a)        correct the information so that it is accurate, complete, up-to-date, relevant and not misleading; and

(b)        notify other entities to whom the personal information has already been disclosed, if requested to do so by the individual and provided such notification would be practicable in the circumstances.

9.7       If an individual and an agency or organisation disagree about whether personal information is, with reference to a purpose for which the information is held, misleading or not accurate, complete, up-to-date or relevant and:

(a)        the individual asks the agency or organisation to associate with the information a statement claiming that the information is misleading or not accurate, complete, up-to-date or relevant; and

(b)        where the information is held by an agency, no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

             the agency or organisation must take reasonable steps to do so.

9.8       Where an agency or organisation denies a request for access or refuses to correct personal information it must provide the individual with:

(a)        reasons for the denial of access or refusal to correct the information, except to the extent that providing such reasons would undermine a lawful reason for denying access or refusing to correct the information; and

(b)        notice of potential avenues for complaint

NPP6 – ACCESS AND CORRECTION

6.1       If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:

                             (a)   in the case of personal information other than health information—providing access would pose a serious and imminent threat to the life or health of any individual; or

                             (b)   in the case of health information—providing access would pose a serious threat to the life or health of any individual; or

                             (c)   providing access would have an unreasonable impact upon the privacy of other individuals; or

                             (d)   the request for access is frivolous or vexatious; or

                             (e)   the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or

                              (f)   providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

                             (g)   providing access would be unlawful; or

                             (h)   denying access is required or authorised by or under law; or

                              (i)   providing access would be likely to prejudice an investigation of possible unlawful activity; or

                              (j)   providing access would be likely to prejudice:

                                        (i)   the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or

                                       (ii)   the enforcement of laws relating to the confiscation of the proceeds of crime; or

                                      (iii)   the protection of the public revenue; or

                                       (iv)   the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

                                        (v)   the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;

                                     by or on behalf of an enforcement body; or

                             (k)   an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

6.2       However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision‑making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

Note:                An organisation breaches subclause 6.1 if it relies on subclause 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where subclause 6.2 does not apply.

6.3       If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

6.4          If an organisation charges for providing access to personal information, those charges:

(a)        must not be excessive; and

(b)        must not apply to lodging a request for access.

6.5          If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up‑to‑date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up‑to‑date.

6.6          If the individual and the organisation disagree about whether the information is accurate, complete and up‑to‑date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up‑to‑date, the organisation must take reasonable steps to do so.

6.7       An organisation must provide reasons for denial of access or a refusal to correct personal information.

 

UPP10 – IDENTIFIERS (ONLY APPLICABLE TO ORGANISATIONS)

10.1     An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:

(a)        an agency;

(b)        an agent of an agency acting in its capacity as agent;

(c)        a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract; or

(d)        an Australian state or territory agency.

10.2     Where an identifier has been ‘assigned’ within the meaning of UPP 10.1 an organisation must not use or disclose the identifier unless:

(a)        the use or disclosure is necessary for the organisation to fulfil its obligations to the agency that assigned the identifier;

(b)        one or more of UPP 5.1(c) to (f) apply to the use or disclosure; or

(c)        the identifier is genetic information and the use or disclosure would be permitted by the new Privacy (Health Information) Regulations.

10.3     UPP 10.1 and 10.2 do not apply to the adoption, use or disclosure by a prescribed organisation of a prescribed identifier in prescribed circumstances, set out in regulations made after the Minister is satisfied that the adoption, use or disclosure is for the benefit of the individual concerned.

10.4     The term ‘identifier’, for the purposes of UPP 10, includes a number, symbol or biometric information that is collected for the purpose of automated biometric identification or verification that:

(a)        uniquely identifies or verifies the identity of an individual for the purpose of an agency’s operations; or

(b)        is determined to be an identifier by the Privacy Commissioner.

             However, an individual’s name or ABN, as defined in the A New Tax System (Australian Business Number) Act 1999 (Cth), is not an ‘identifier’.

Note:      A determination referred to in the ‘Identifiers’ principle is a legislative instrument for the purposes of section 5 of the Legislative Instruments Act 2003 (Cth).

NPP7 – IDENTIFIERS

7.1          An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:

(a)        an agency; or

(b)        an agent of an agency acting in its capacity as agent; or

(c)        a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.

7.1A        However, subclause 7.1 does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Note:                There are prerequisites that must be satisfied before those matters are prescribed: see subsection 100(2).

7.2          An organisation must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:

(a)        the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or

(b)        one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure; or

(c)        the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.

Note:               There are prerequisites that must be satisfied before the matters mentioned in paragraph (c) are prescribed: see subsections 100(2)
and (3).

7.3          In this clause:

identifierincludes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations. However, an individual’s name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier.

UPP11 – CROSS-BORDER DATA FLOWS

11.1     If an agency or organisation in Australia or an external territory transfers personal information about an individual to a recipient (other than the agency, organisation or the individual) who is outside Australia and an external territory, the agency or organisation remains accountable for that personal information, unless the:

(a)        agency or organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds privacy protections that are substantially similar to these principles;

(b)        individual consents to the transfer, after being expressly advised that the consequence of providing consent is that the agency or organisation will no longer be accountable for the individual’s personal information once transferred; or

(c)        agency or organisation is required or authorised by or under law to transfer the personal information.

Note:                Agencies and organisations are also subject to the requirements of the ‘Use and Disclosure’ principle when transferring personal information about an individual to a recipient who is outside Australia.

 

NPP9 – TRANSBORDER DATA FLOWS

An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:

(a)        the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or

(b)        the individual consents to the transfer; or

(c)        the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre‑contractual measures taken in response to the individual’s request; or

(d)        the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or

(e)        all of the following apply:

(i)         the transfer is for the benefit of the individual;

(ii)        it is impracticable to obtain the consent of the individual to that transfer;

(iii)       if it were practicable to obtain such consent, the individual would be likely to give it; or

(f)         the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.

 

NPP10 – SENSITIVE INFORMATION

10.1    An organisation must not collect sensitive information about an individual unless:

a)         the individual has consented; or

(b)        the collection is required by law; or

(c)        the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:

(i)         is physically or legally incapable of giving consent to the collection; or

(ii)        physically cannot communicate consent to the collection; or

(d)        if the information is collected in the course of the activities of a non‑profit organisation—the following conditions are satisfied:

(i)         the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;

(ii)        at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual’s consent; or

(e)        the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

10.2     Despite subclause 10.1, an organisation may collect health information about an individual if:

(a)        the information is necessary to provide a health service to the individual; and

(b)        the information is collected:

(i)         as required or authorised by or under law (other than this Act); or

(ii)        in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.

10.3        Despite subclause 10.1, an organisation may collect health information about an individual if:

(a)        the collection is necessary for any of the following purposes:

(i)         research relevant to public health or public safety;

(ii)        the compilation or analysis of statistics relevant to public health or public safety;

(iii)       the management, funding or monitoring of a health service; and

(b)        that purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained; and

(c)        it is impracticable for the organisation to seek the individual’s consent to the collection; and

(d)        the information is collected:

(i)         as required by law (other than this Act); or

(ii)        in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or

(iii)       in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph.

10.4        If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de‑identify the information before the organisation discloses it.

10.5        In this clause:

non‑profit organisation means a non‑profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.