Australian Privacy Foundation
Submission to the Office of the Federal Privacy Commissioner (OFPC)

Dated January 2003

This document is at http://www.privacy.org.au/Papers/SubmnOFPC0212.html


Submission on OFPC draft Information Sheet: "Taking reasonable steps ...."

Introduction

We welcome the proposed Information Sheet, as there is clearly considerable misunderstanding amongst organizations subject to the Privacy Act as to their obligations.


General comments

We think the paper could adopt a more assertive starting position - that in very few cases would it be reasonable for an private sector organisation not to ensure that its customers know all the NPP1.3 items. The occasions when it may not be reasonable for a customer to be aware that personal information is being collected about them would be limited to unexpected and/or exceptional cases, usually in connection with suspected illegal activity. Even so, the possibility that this may occur in such cases may well be able to be addressed in the organisation's NPP5 privacy policy statement.

There is a danger that as presently drafted the paper could be seen as a `shopping list' of reasons for not being open with individuals. It would be unfortunate if a publication from OFPC took on this character.

Occasions where organisations collect information from their customers without their knowledge for the purpose of investigating or preventing unlawful activity should be limited to specific cases and not be a matter of routine surveillance. The paper could usefully remind organizations that at all times the collection must also be necessary, lawful, fair and not unreasonably intrusive, to comply with NPP 1.1 and 1.2.

Most of the occasions discussed in the Information Sheet when there may be few or no reasonable steps to ensure awareness are when organizations collect information from their customers or from other organisations about third parties. The paper should remind organisations to keep in mind, however, that NPP1.4 requires them to collect information about someone directly from that person where reasonable and practicable.


Specific comments
p.3 - Ramifications for individuals

This is somewhat complicated and repetitious. We suggest that the key point under the first dot point is whether or not the uses or disclosures are `inconsistent' with the purpose of collection, and if so, which of the exceptions under NPP2.1 are relevant. Whether or not there are `robust procedures in place' should be a `given', and in nay case does not fit under this heading.

p.3 - Sensitivity

The first paragraph is clearly about a wider concept of sensitivity than just the definition in the Act (which is covered in the next paragraph). While this is welcome, it should therefore not be confined to `sensitive in nature' but also `sensitive in context'.

p.4 Legal professional privilege

The two mentions of this on this page could usefully be supplemented with examples - it is not immediately obvious how legal professional privilege - presumably owed to a client, could conflict with notification of that individual. If the context is notification of third parties, then this should be made clear.

General comment regarding "when no notice or limited notice may be reasonable"

Despite the heading, this section does not adequately emphasise that many cases where another competing legal obligation or public interest is relevant will only require withholding of some of the NPP 1.3 items - there will only be limited, and hopefully far fewer, circumstances where it is necessary to withhold all notice.

p.5 - a good example of a relevant statutory obligation would be the Financial Transaction Reports Act requirement not to notify a customer of a suspect transaction report to AUSTRAC.

p.5 - the example under (d) Breach of NPP2 exposes a conflict between the principles - it is difficult to see how Jones is not `deceived and misled' if he or she is not notified about the NPP1.3 matters. This may be inevitable, and even desirable, but the paper should not pretend that it is possible to comply with 1.2 in such circumstances. Also, it is not clear that the suggested `conditions'(used only to help contact, not disclosed and deleted) are just that - mere suggestions, and could not be enforced (unless it is being suggested that they could be made a binding condition of agreeing to less than full 1.3 notice?).

p.6 - first paragraph

It is unrealistic to expect organizations to weigh up all of the factors in each case - most organizations have a legitimate need for standard policy on these sorts of matter which can be communicated clearly to staff and incorporated in documentation, telephone scripts and the like. Notice to individuals is simply not amenable to case by case decision making.

Also, it is not clear why you suggest that there is more latitude in the meaning of reasonable steps in NPP 1.3 and 1.5 than in NPP 2. This implies that NPP 2 is somehow more important than the notice provisions when it is arguable that, given the breadth of the NPP 2 exceptions, it is notice and awareness that is all-important (this Is recognized later at the end of the third paragraph on page 7).

p.6 - third paragraph under "Prejudice"

The sentence "For example, policy documents and insurance claims forms could reasonably include notification ..." should read "For example, insurance policy documents and claims forms must/should include notification ...". It is difficult to see that there would be any circumstances where this would not be required.

p.7 - Archivists

We are not sure how realistic it is to include the last paragraph about possible obligations under NPP10.

p.7 - Liquidators

We feel this section is too permissive. Surely individuals in these circumstances are entitled to know that their information is being used (albeit for a common purpose such as marketing) by a different party (we would have thought that there are other notice obligations under corporations or bankruptcy law which would give an opportunity to convey NPP 1.3 information). The recent Toysmart case in the US is relevant here and suggests that even significant costs should not be seen as an obstacle to notification.

p.9 - Financial Counsellors and p.10 Health Services

The advice in relation to financial counsellors is similar to the effect of the `family medical history' Determination. We have the same difficulty with it. We feel that there should be a presumption in favour of the third parties concerned being notified, and encouragement for the person seeking counseling to inform those third parties (recognizing that it will not be appropriate or practicable in some cases).


Navigation

Go to the APF Home Page.

Send an email to APF

Created: 7 February 2003

Last Amended: 7 February 2003


Sponsorship

APF thanks its site-sponsor: