AUSTRALIAN PRIVACY CHARTER COUNCIL
Comments on the Privacy Commissioner's Draft NPP Guidelines
July 2001

Convenor

Australian Privacy Charter Council

Version of July 2001

© Australian Privacy Charter Council, 2001

This document is at http://www.privacy.org.au/apcc/Submns/PCNPPs0107.html


General comments

1. Lack of paragraph numbering makes it very difficult to comment concisely and much more time consuming. The final guidelines should have paragraph numbers for ease of reference. In these comments we have been forced to rely on page numbers, which may not `survive' in different prints. If there is any difficulty in locating the passage that a comment refers to , please consult.

2. The guidelines are written as though in ignorance of legal precedents and authorities, which do in fact underpin some of the interpretations. It would give the guidelines more authority if they included relevant references to Australian and overseas court decisions, eg: FOI law in relation to definition of personal information and access and correction; Johns v ASC (AHC) in relation to purpose limitation; Harder (NZ) and Eastweek (HK) in relation to collection (latter two are not helpful but are relevant and should be mentioned).


Chapter 2 - Terms

"Collect" - good to emphasise that it includes unsolicited acquisition

"Directly related purpose" - examples seem OK

"Related purpose" - these examples are arguably directly related? The distinction between `related and `directly related' needs to be further clarified.

"Direct marketing" - essential to maintain this definition which accords with public expectations rather than the industry definition which is arbitrarily narrow.

"Disclosure" - could make it clear that it is any transfer outside the organization including to `related corporations'

"Necessary" - good definition, see also comments on p.47-48

"Personal Information"

"Practicable" - good strong starting point, but see qualifications under various principles below.

"Primary purpose" - disagree that can only be one (p.68 of GLs say if two primary purposes then two separate transactions at same time - this is semantics - effect is that an organization can have more than one simultaneous primary purpose, and it is unhelpful to give the impression that this is not allowed. An example would be a prize draw marketing collection - personal details are collected both for administration of a competition, and for direct marketing - neither purpose is dominant.

Should be an explanation of the relationship between `purpose' and `use' - in particular whether there can be more than one use for a single purpose (there can be).

"Record" - should mention relationship to generally available publications

"Required by law" - Privacy Act should not be excluded eg s.44.

"Use" examples are too restrictive - some important uses do not involve any new data - just actions based on the existing info.


Chapter 3 - Consent

This is generally a helpful chapter, emphasizing a strong interpretation, particularly on `voluntary', and on failure to respond or object, which supports the objectives of the principles.

"Express consent" - suggestion of recording will lead to arguments for recording calls, which may be undesirable from a wider privacy perspective - this tension should be acknowledged and addressed, perhaps by invoking the concept of `proportionality'.

"Implied consent" - poor example because it infringes `voluntary' criterion - no choice other than to discontinue the call.

"Opt out" - last two dot points of `conditions' for acceptable inference are unclear

Power company example is good but needs pursuing; ie: - easy opt out opportunity must be provided however the bill is paid.

Withdrawing consent - implies restoration of position - may not be realistic - cannot undo knowledge or some actions eg: once disclosed to third party cannot retreive.

Needs discussion of one person giving consent for someone in a close relationship - spouse, joint account holder etc.

Needs discussion of common situation where an organization holds personal information about employees of another organization as a result of a commercial provision of services (eg fuel cards issued to employees of corporate clients). Is the service provider really expected to deal directly with the individual employees or can it rely on consent (and notice) from the corporate client and leave the client to deal with notice to employees? (See also comments on direct/indirect collection below).

Cultural issues reference has a wider importance than just in relation to consent - arguably out of place and should be moved elsewhere in the guidelines?


Chapter 4 - Collection

p.44 - Unclear basis for statement "In the case of sensitive information, it ensures that consent to collect includes consent to the proposed use and disclosure."

p.44 - Why single out `unwary' under fair & lawful?

p.46 - Odd example of collection: "notes down information from a website or downloads information from it;" - no ref to personal info

p.46 - Several examples assume a phone number is personal information - but this has not been discussed earlier (see comments under definition)

p.46 - Example: "keeps video tapes of images of its customer from its security cameras in ways that identify them" - doesn't deal with issue of `subsequent' identification eg by face matching.

p.46 - Example: "tracks individual movements on the internet using a cookie or web bug" - odd use of `movements' (`behaviour' better?). It also assumes ip addresses are personal information - (see comments under definition).

p.47 - Meaning of `necessary' - needs discussion of whether this `dictates' particular business models - presumably not, ie: just because an alternative business model would not have required some collection does not mean that an organization cannot collect personal information if it is necessary for the business model it has chosen?

p.47/48 - Could usefully discuss whether necessary implies `proportionality' ie necessary AND not excessive (words used in Hong Kong law).

p.48 - Necessary collection and related corporations - ambiguous guidance - latter part appears to contradict the former - no separate purpose other than collection for a related organization. Should also avoid using `related organization' here if the advice is restricted to the specific technical meaning of `related corporation'.

p.49 - Confusion between illegal and unlawful. These are not synonyms. Illegal implies breach of a specific law, unlawful is a wider concept, eg: an agency behaving `ultra vires'.

p.49 - Example of illegal/unlawful: "using video surveillance that was not allowed by a State or Territory law." - implies that all States/Territories have laws that expressly authorise surveillance - some do not.

p.50 Unreasonably intrusive 'way' - needs explanation of whether this is restricted to `means' or also goes to issue of `proportionality' - eg: Is amount/type of information requested excessive for purpose? Also - if less intrusive alternatives are available, could failure to choose them be a breach of this principle?

p.50 - Example of intrusive: "ringing an individual without consent in the middle of the night or at meal times to market a product" - `middle of the night' is unnecessarily emotive/provocative (and unlikely) - use instead `at unreasonable hours' (and perhaps refer to ADMA code hours?)

p.52 - First dot point factor re notice: "whether the individual needs the information to make an informed decision about whether to give that information" - this is not for PC to second guess - the Principle says that the individual must be aware of all the specified matters.

p.55 - Example of where no notice: "where the identity of the organisation collecting the information is obvious from the circumstances "- should qualify with a caution - people are often confused about who they are dealing with.

p .56 - Do not need to mention rare disclosures - OK as long as do not give false assurances about absolute confidentiality, which can never be claimed given override of `required by law'. The Guidelines should make this point as too many organizations routinely make the claim of total confidentiality.

p.56 - Disclosures to related bodies corporate - presumably only necessary to mention if it is intended to disclose? Ie: it is not the function of the notice to spell out all the theoretical possibilities under the principles.

p.58 - NPP 1.5 - suggestion of "advertise in local media" - dangerous - unlikely ever to suffice.

p.58 - Where collection is from public sources should be able to rely on agencies notifying people about disclosures. Even in private sourcing, could emphasise the closing of the loop by the source's compliance with NPP1.3.

p.59 - Collecting sensitive info without consent - FTRA is a poor example - identity is not `sensitive' data as defined

p.60 - Why Q4.4? - can only be used by a health service provider.

p.61 - collection for research, statistical etc - `sensitive' missing in line 3


Chapter 5 - Using & Disclosing

p.64 - "within reasonable expectations" - dangerous to equate with "if asked would agree" - different test (see also p.68).

p.65 "may have wanted to give additional or less information" - insert `or different'

p.65 "only allowing other secondary uses and disclosures in very limited circumstances" - not really true - actually very broad exceptions - not even true for (c)-(j) as suggested lower down page

p.66 "not override ethical or professional standards" - insert "legal requirements or ..." to fit with heading

p.67 bullet point "questions to determine the primary purpose" - what if answers are different?!!

p.67 "an organisation can contract out a function or activity in relation to personal information it holds without getting the individual's consent a long as the function or activity is for the primary purpose" - what is the basis for this?? - still a disclosure and must meet one of exceptions??

p.67-68 - repetitive re purpose definition with collection principle - cross refer instead??

p.70 - reasonable expectation is of someone with "no special knowledge of the organisation or the industry" - but surely such knowledge may be relevant??

p.70 - charity newsletter poor example

p.71 - what notice has been given is cited as one factor - surely should be a one-to-one correlation?

pp.69-72 - needs combined examples covering both related/directly related and reasonable expectation

p.73 - unsolicited email not necessarily automated - confused use of spam label

p.72-77 - Direct marketing discussion needs to cover all possible exceptions not just 2.1(c) - will only be intelligible if it starts from various scenarios and talks through how the principles would allow/prevent direct marketing

p.72-78 - Major ambiguity about whether direct marketing and health provisions (2.1 (c) and (d) operate as additional overriding provisions for all direct marketing uses and health uses and disclosures, or whether both of these activities can alternatively be conducted under 2.1(a) if they can pass the tests of `related/directly related' and `reasonable expectation' ? There is an attempt to deal with this on p73, but it is not clear enough.

If (a) applies to a limited `zone' of related marketing within reasonable expectations, then within that zone there is no need for any consent (either opt-in or opt out), although notice will be required under NPP 1.3.

Outside that zone, or if (c) applies to all direct marketing, then there is a requirement to either gain consent or, if that is impracticable, give individuals notice and an opportunity to opt-out in each direct marketing communication.

Given the Guidelines on the meaning of `consent' and `impracticable ` many observers are concluding that this effectively means that organizations will generally only be able to undertake direct marketing on the basis of a positive `opt in'. The Guidelines should clarify whether this is indeed the effect.

p.75 - Spam - where using data collected from a third party, clearly impracticable for spammer to have sought consent first?

p.75 - statement "It must also offer the individual who does not opt out the chance to opt out every other time it communicates with that individual for that direct marketing purpose." Deserves a separate heading - currently lost at the end of another point.

p.76 - Not charging heading is missing the (c) + How does "They can also charge different prices" sit with interpretation of consent in Chapter 2 as involving low cost of exercising the opt-out, and harmless consequences of failing to opt-out?

p.76 - "What is a request?" needs to address question of verifying identity of person making request.

p.76 - Hanging up - very tough - unless caller has verified that the person is the `target' - otherwise would have to act on action of whoever answered phone?

P.76 (bottom) - "Comply with requests not to receive direct marketing" - this heading and paragraph appears out of place

p.77 first paragraph - "draw to the individual's attention, or prominently displays a notice" - The Act has these as alternatives - but one is a means of doing the other - surely guidelines should reflect this intention?

Also "prominently display" needs more than `same size type and easily seen' - implies at least a bold heading identifying the issue eg "If you do not want to receive further communications"

p.77 - "Giving contact details in the direct marketing material"

Should also explain that bus address and phone no needed in any written (postal) DM - currently only addresses electronic, phone & fax.

p.77 - Needs explanation of position re research use of non-health p.i. - including when research would not be `using' pi because it had been de-identified, and when research would be a related or directly related purpose (quite often)

p.79 "What NPP 2.1(f) says" - at end should read 2.1(g)

p.79 "How NPP 2.1(f) works" - should stick to "unlawful activity" rather than narrower `crime'

p.79 "The types of unlawful activity that an organisation investigates or reports should be related to the activities or functions of that organisation" - needs exaplanation of where an organisation stands if it becomes aware of unlawful activity that does not affect the organisation itself.

p.80 "officers of the Police force" belongs under `relevant authorities' not `relevant persons'

p.81 - 2.1(g) does not mention `express or implied' - need to explain why you are bringing this in. Discussion of implicit requirement uses poor examples - where there is a direct request for information which incidentally includes pi then that is surely an example of an express requirement. Implicit requirement would be where a third party requires general assistance (eg without specifying any information requirement) and the data holder judges that use or disclosure of some pi is necessary to render that assistance.

p.82 - "Notice of disclosure" - needs more emphasis and explanation on `regular' - how regular - examples (eg Austrac, bulk data to ATO or Centrelink, but not ad hoc disclosure to police under warrant). Description of recipients could be generic eg: state revenue offices

p.83-87. - Section re 2.1(h) - headings and text should not include `law' enforcement - misleading - just `enforcement' to reflect broader scope - common meaning of law enforcement would not include revenue protection or all court/tribunal preparation. Some usages are just wrong, eg: "In order to rely upon NPP 2.1(h) an organisation must reasonably believe that that it is reasonably necessary to use or disclose personal information for a law enforcement body" on p.84

Whole section also needs some advice on having procedures in place to assess requests under this exception - preferably involving a senior decision maker.

p.83 - Needs greater emphasis and explanation of `by or on behalf of' to explain that must be initiated by the enforcement body - organizations can't volunteer info under this exception (but relationship with 2.1(f), which may trigger enforcement body request).

p.83 - "Does not require disclosure" - this paragraph should emphasise that organizations must be careful to ensure that they don't respond to requests from enforcement agencies under this exception in circumstances where a warrant or other formal order is actually necessary eg an interception warrant for content or substance of a telephone call (poor example as this is separately covered by Telecoms law, perhaps find a better example - but point is crucial - must avoid 2.1(h) being used as a back-door.

p.84 - re "intelligence gathering" - OK to make the point that this is possible under the exception, but would expect a firmer caution that it will not be the norm and organisations should question `necessity' even more rigorously.

While it is good to rule out data matching, how will an organization know how an enforcement agency intends to use the info - if bulk disclosure for intelligence gathering is allowed, opens the door for matching? Can/should organizations impose conditions?

p.85 - re non-Australian law offences - should make it clear that must be by or on behalf of an enforcement body as prescribed and these are only Australian - requests from other jurisdictions must therefore come via an Aus agency. (same point under proceeds of crime laws heading)

p.86 Should comment on whether any laws are or are expected to be prescribed

p.86-87 - "The protection of public revenue" - needs explanation of what would not be included eg: general claims re government efficiency, leakage of revenue etc.

p.87 "Seriously improper conduct" - needs reminder that has to be by or on behalf of an enforcement body as listed in s.6, and these do not include professional bodies, registration boards etc - so there has to be some involvement by another enforcement body.

p.87 "Proceedings in a court or tribunal" - same point as above - has to be by or on behalf of an enforcement agency, so does not apply to private litigation

Also, - "on the basis of the general exception" - error - should be `general principle'

p.87 "note of use or disclosure" - needs explanation of what `in that record' means - is it OK to record separately? (many systems won't be designed to add a field to the basic record). Also issue of whether note should be visible when record is accessed again - often not appropriate eg: won't want all employees to see it, but must be able to locate and bring up when relevant eg: in subject access?


Chapter 6 - Data Quality

p.90 "When does NPP 3 apply?" - could usefully say that while there is no requirement to check until use/disclosure, may be sensible to have a more routine check (eg request with annual statements) to avoid more onerous checks on a case by case basis.

p.90-91 "Completeness" - needs more about importance of context - data must be `fit for purpose' - may have quite far-reaching implications for verifying and seeking additional information?

We note that relevance (in IPPs) is not in NPPs was there a conscious decision that this was subsumed by completeness, and by requirement for collection to be necessary? A comment on the significance of this difference would be helpful.

p.93 "there may be times when it is appropriate to check information with a third party but organisations can only do this if it does not breach NPP 1.4 or NPP 2." - this deserves further discussion - particularly in relation to checks against publicly available sources.


Chapter 7 - Security

p.96 "a personnel security system which ensures that people who need to access certain types of information are considered" - odd wording - considered for what??

Security chapter needs more discussion about the privacy intrusive nature of many security measures (workplace monitoring, personnel vetting) and the need to find a balance - partly to comply with `not unreasonably intrusive'collection (NPP 1.2)

p.101 - "contracting out carries high potential risks of compromising ...privacy" What justification for this - contractors will often be more experienced in security than the client - may well be safer. (Doesn't mean guidance which follows is not useful - just disagree with the statement). Should also mention that contractors will also be subject to the Act in their own right (unless exempt for another reason), and explain how PC will approach deciding who is at fault in cases where privacy is breached with data being handled by a contractor.

p.103 " destroying/de-identifying data" - would be helpful to discuss the status and accuracy of the common assumption about 7 year storage for legal liability - is this well founded and does it necessarily mean keeping everything? Hasn't there been a recent change in tax office requirements from 7 to 5 years?


Chapter 8 - Openness

p.104 - Background implies purpose is all about data subjects - not so - just as much aimed at general community/public awareness of data handling practices.

p.105 - suggested content for 5.1 statement "whether it contracts out services" - should say only if they involve personal information.

p.107 - suggested content for 5.2 details "Any functions or activities of the organisation that are outsourced should be included" - same comment as above re p.105.


Chapter 9 - Access & Correction

This chapter would benefit from FOI Act precedents - would give some aspects of the advice more authority (eg: using selective deletion so as to allow release of as much as possible - p.110).

p.111 - arguable that access "gives an individual control over the personal information an organization holds ... by enabling the individuals to find out what information is held about themselves". Agree that it assists them to exercise other rights but no value in making unsupportable claims.

p.112 - under `Individuals do not have to give reasons' - all true, but will often be helpful to ask about context of request to help locate the information, and also avoid `swamping' requesters with material they do not want.

p.113 - contracting out - should emphasise even more that the `client' organization remains ultimately responsible under the Act for compliance with NPP6.

p.113 - form of request - OK to give this advice but should emphasise that individual can always insist on a more formal process.

p.113 - last dot point `circumstance' - justification not clear - why should volume be a factor in whether a written form is more appropriate - may in fact `justify' an alternative automated process?

p.114 - not clear why it is more important to have identity checks with telephone/on-line- may be equally important in postal or in face to face where individual is not known to staff.

p.115 - assertion about cost not being onerous needs support - overseas experience? FOI?

p.115 - second dot point - only amount can be excessive - `charging' itself cannot be excessive

p.115 - fourth dot point - qualify costs involved in having someone explain "only if required"

p.116 - suggestion that evidence of destruction may be required - will never be able to prove - best will be indirect evidence of `a batch' of records having been destroyed at a particular date/time?

p.117- partial access - suggest `access should only be denied to information that is exempt ...' rather than `to parts of the record' which may lead to withholding of pre-defined `chunks' rather than the desirable case by case analysis. (FOI precedents here)

p.118 - correction not necessary if inaccessible and not used - not only whether the organization itself intends to use it - need to consider likelihood and consequent potential harm of third party access eg by law enforcement.

p.118 - changing record not appropriate - what basis for saying `not many' situations - likely to be quite common that a full record of before and after state needs to be kept.

p.120 - second inset dot point - suggest adding at end `ie: even where the threat is not imminent', to make this point clearer.

p.121 - following details not needed in most cases - disagree - every organization needs to understand at least the exception for `third party privacy' (6.1(c)).

p.121 - NPP 6.1(c) - needs discussion of joint information situation eg: joint accounts

p.121 - NPP 6.1(d) - frivolous and vexatious - poor example `pursuing unrelated grievance' - depends what is meant by unrelated - privacy act access will often properly be used in pursuance of other disputes about billing, service etc - even though there is no suggestion of a breach of privacy.

p.122 - NPP 6.1(g) - providing access unlawful - needs discussion of application to more general secrecy provisions which were often drafted without any specific reference to consent as an exception. Organisations should not be able to hide behind a general secrecy provision to deny `subject access' (mainly an IPP issue for agencies, but there are some private sector organizations subject to secrecy laws eg telcos, share registries.

p.123 NPP 6.1(h) - denying required or authorized by law - required by law same point as above. Authorized by law - if discretion, then may be criteria in the relevant law, and should always be balanced against privacy right.

p.123 - NPP 6.1(i) - prejudice an investigation - should make it clear that this will normally be time limited - will usually come a time when information should either have been acted on or disposed of - if neither, then should give access.

p.123 - `what is a sanction' and `what is a penalty' paragraphs appear `orphaned' - not clear why they appear here?

p.124 - caution needed paragraph - this is a generic point relevant to use of all exceptions.

p.124 - might be helpful to mention credit scoring as the common name for this example.

p.125 - example of reason for decision "you did not pass our risk assessment process" is arguably not enough detail - sets an important precedent and need to be confident this is good enough. Might benefit from reference to natural justice principle in administrative law, which while not directly applicable may be relevant in some cases?

p.126 - what is an intermediary? - role is not necessarily to explain the contents - may be simply to confirm a fact or status (see also third dot point lower on page). Suggest `specific' to replace `explicit' in penultimate line of paragraph.

p.126 - when it is reasonable ... - second dot point - premature to say that (a) and (b) will be the areas where most common to use intermediaries - what evidence or justification?

p.127 - second dot point - increased access may be the result - why is this necessarily a problem?

p.127 - third dot point - ambiguous - does this mean that costs must be borne, or `any costs that are borne'? Refer p.115 last inset dot point and comment above, and p.128, which are contradictory as to who should pay.

p.127 - last dot point - needs better explanation of issue of intermediaries access to third party information and how to deal with this.

p.128 - costs - see contradiction with p.115

p.128 - transitional application - second para - if not used or disclosed after 21/12 should question why still kept (IPP4). Also, re last two dot points, could suggest that if systems are in place for `new info' may be relatively easy to apply to `old info' as well.


Chapter 10 - Identifiers

p.129 - NPP 7.1 reference to regulations - should say that none made to date of publication (and comment on likelihood?)

p.129 - NPP 7.2 - second dot point - how is an organization to know that one of these applies - explain that it would usually be at request of a government agency, not on own initiative.

p.130 - first paragraph last line - suggest delete `by stealth' and add "without express authorization" at the end.

p.130 - explain exemption of ABN - why different from TFN or Medicare No?

p.130 - ref not applying to state identifiers - should say that may be equivalent state laws (eg Victoria).

p.130 - re collecting - should explain that a collection must imply a use, and must therefore still meet 7.2 - either fulfilling obligations to an agency or under exceptions (e) to (h).


Chapter 11 - Anonymity

p.132 - fourth para - arguable discussion of `reasonably ascertain' identity - see comments on definition of personal information above.

p.132 - sixth (last) paragraph), line 5 - replace `each party' with `one or both parties'

p.133 - anonymity in information systems - the first paragraph needs to make a distinction between `read only' or enquiry access by customers or the public (where the aim is anonymity); transaction access by customers where identification may well be required for billing, accountability etc, and access by employees where identification will normally be justified - not least as security and accountability measure.

p.134 - first paragraph is advice to exempt organizations - arguably out of place in NPP guidelines - if it is to stay it should be more clearly labeled as not `compliance' advice.

p.134 - second para should presumably read "...website to permit users to access ..." but if so, too strong a statement - many web sites will require identification for any services (as opposed to mere browsing).


Chapter 12 - Transborder Data Flows

p.135 - fifth paragraph - statement that NPP9 gives individuals control is too strong - see similar comments earlier.

p.136 - first paragraph - not accurate to talk of a comparable `scheme' (given option of contract and consent which will not involved `schemes') - suggest replace with "unless comparable privacy protection measures are in place"

p.136 - second paragraph - could make it clear that second sentence only applies to transfers within the same organization (because they are not `disclosures') and not to transfers between `related corporations' which are disclosures and to which NPP9 and NPP2 will still apply.

p.136 - third paragraph - inaccurate - there are no limits on `circumstances' - only `conditions'.

p.136 - forming a reasonable belief - the Commissioner could usefully commit to a more pro-active and helpful role (as suggested by the EU Article 29 Committee) - surely it is reasonable to expect a `white list' in due course? Seems both onerous and arguably improper for the Commissioner to suggest that almost all transfers will require external consultancy advice.

p.137 - first paragraph - seems unrealistic to expect an organization to analyse a foreign law or scheme in such depth that it could understand if there were undermining weaknesses - hence need for `official guidance' in the form of white lists etc

p.137 - difficult for contracts alone to deliver effective complaints handling and enforcement in absence of a `scheme' - eg: law or code or seal program, and yet ((a) clearly envisages it - this suggests that the requirement for such mechanisms (spelt out on p.136) may be too tough?

p.137 - NPP 9(b) - should be cross reference back to chapter on Consent (comes out of place in next paragraph) and preferably a direct reminder of key requirements including real option of saying no.

p.137 - NPP 9(c) - needs an explanation

p.137 - NPP 9(d) - needs discussion of whether this means `necessary given the design of the system' or necessary in a more absolute sense. Examples would help eg - transfer obviously absolutely necessary for fulfillment of international air travel, but only necessary for credit card authorization because of the way the system is organized - could be done with `in-country' checks.


Chapter 13 - Health

p.140 - general background - effect of health info provisions is arguably to give more flexibility only in research context - in managing/funding it can be seen as imposing more restrictions - see below (and discussion on pp 148-149).

p.140 - second paragraph - suggest replace `not suitable' with `not adequate'.

p.140 - third para - suggestion that it is `best to get consent' - needs to be clear that this is just advice - strict compliance can be achieved in any of the ways provided for.

p.142 - second para (after bullet points) - inaccurate - this part doesn't deal with s.95A first - next para does but then goes to other two and back to s.95A on p 150.

p.142 - collection under s.95A - this looks like probable content for the guidelines - needs clearer explanation - move to p.150?

p.144 - what is meant by `management ....'? - these examples are unlikely to meet the criteria for use in 2.1(d), so no point in collecting?

p.145 - requires collection - second paragraph - needs to distinguish `requires provision' from `requires collector to seek but no power to compel provision' - the latter should not be seen as collection required by law?

p.145 - what is a competent health and medical body - could emphasise that this is not applicable to the management/funding etc exception - further limiting the scope and effect of it.

p.146 - what are binding rules - suggest replace `penalties for organisations' with `penalties for professionals'

p.146 - second paragraph - contractual provisions can readily be made public (transparent) - difficulty with enforcement is of a different higher order.

p.147 - not clear if NPP 2.1(d) overrides (a) - see comments under NPP2. If not, then 2.1(a) would allow health info collected for research and stats to be used/disclosed without considering 2.1(d) ? - see also discussion on pp 148-149 which suggests (a) is independent of (d).

p.147 - first paragraph under NPP 10.4 - this is too dogmatic - may be OK to disclose without de-identification if no `reasonable' steps possible.

p.151-152 - de-identification - seems to adopt a different interpretation from the Commissioner's general approach to definition of personal information (the absence of guidance on which has been criticized earlier) which has been to suggest that other information can be a factor in potential for identification. This is also raised in the penultimate paragraph on p.152 in relation to recipients. This whole issue is fundamental and clearer guidance is required. It would seem unreasonable to expect an organization considering disclosure of de-identified information to know the precise circumstances of the recipient that might allow re-identification of at least some individuals.


Nigel Waters, Convenor

Australian Privacy Charter Council
02 4981 0828 or 0407 230 342
convenor@apcc.org.au

Navigation

Go to APCC's Home-Page.

Go to the contents-page for this segment.

Send an email to the APCC Convenor

Created: 30 July 2001

Last Amended: 30 July 2001


Sponsorship

APCC thanks its site-sponsor: