2. UPP 2: Collection

Updates and background for this project (Digest)

• Introduction
• Purposes of collection
• Means and manner of collection
• Collection from the individual concerned
• Unsolicited personal information
• Sensitive information

2.1 This chapter examines UPP 2, which the ALRC recommended as the model privacy principle on the collection of personal information.

2.2 The first part of the chapter analyses UPP 2.1 to 2.4, which contain the rules that apply generally to the collection of personal information.

2.3 The second part of the chapter examines UPP 2.5 and 2.6, which contain provisions that apply specifically to the collection of categories of personal information that have been defined as sensitive information under the Privacy Act.

2.4 For reading convenience, the provisions of UPP 2.1 to 2.4 are reproduced here, while UPP 2.5 and 2.6 are quoted later in the chapter.¹

UPP 2. Collection

2.1 An agency or organisation must not collect personal information unless it is necessary for one or more of its functions or activities.

2.2 An agency or organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

2.3 If it is reasonable and practicable to do so, an agency or organisation must collect personal information about an individual only from that individual.

2.4 If an agency or organisation receives unsolicited personal information about an individual from someone else, it must either:


(a) if lawful and reasonable to do so, destroy the information as soon as practicable without using or disclosing it except for the purpose of determining whether the information should be retained; or

(b) comply with all relevant provisions in the UPPs that apply to the information in question, as if the agency or organisation had actively collected the information.

The ALRC’s recommendation

2.5 Principle 1 of the Privacy Act provides that an agency may only collect personal information if the:

• information is collected for a lawful purpose directly related to a function or activity of the agency; and
• collection of that information is necessary for, or directly related to, that purpose.

2.7 The ALRC, in Report 108, recommended that the collection principle in the UPPs “should provide that an agency or organisation must not collect personal information unless it is necessary for one or more of its functions or activities”.² This recommendation is found in UPP 2.1

2.8 The ALRC used NPP 1 as the template for UPP 2.1. It noted that NPP 1 is simpler in form than Principle 1.³ Further, it observed that the requirement in NPP 1 that an organisation must not collect personal information unless it is “necessary for one or more of its functions or activities” implies an objective test, that is, “the collection has to be necessary, not necessary merely in the opinion of the organisation”.⁴ It asserted that an “objective test should encourage organisations and agencies to give careful consideration to whether the personal information they collect is genuinely necessary for their functions or activities”.⁵

2.9 The ALRC’s final recommendation may be compared with its proposal in DP 72, which stated that the collection principle in the model UPPs should provide that an agency or organisation must not collect personal information unless it reasonably believes the information is necessary for one or more of its functions or activities.⁶ The ALRC acknowledged in Report 108 that a number of submissions expressed concern that, under the original proposal, what is necessary for the functions or activities of an agency or organisation is determined by the subjective belief of the agency or organisation. The submissions preferred an objective test and the ALRC agreed with such view.⁷

2.10 Consequently, the ALRC removed the subjective test in its original proposal. It did not, however, consider it necessary for UPP 2.1 to expressly provide that the collection must be reasonably necessary for one or more of the collector’s functions or activities, and that the perspective of the reasonable person is to be applied in determining the necessity of the collection. It opined that these requirements are already implied by the terms of UPP 2.1.⁸

2.11 Further, the ALRC said that it is unnecessary to provide expressly that the purpose of collection should be lawful and objectively reasonable. It argued that its recommendation implies that: (1) the activities and functions pursuant to which agencies and organisations collect personal information must be lawful; and (2) such collection pursuant to those functions must be lawful. It declared that the collection principle does not, and cannot, make unlawful collections lawful, for example, where an agency collects information beyond the scope of its powers.⁹

The current law in NSW

2.12 Section 8 of PPIPA provides that a public sector agency must not collect personal information unless:

• the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and
• the collection of the information is reasonably necessary for that purpose.

• the information is collected for a lawful purpose that is directly related to a function or activity of the organisation, and
• the collection of the information is reasonably necessary for that purpose.¹⁰

2.14 The Commission supports UPP 2.1, subject to some suggestions discussed below. The provisions of UPP 2.1 simplify but still capture the essence of the current NSW privacy principles that an agency must not collect personal information unless it is necessary for one or more of its functions or activities.

2.15 The Commission agrees with the view expressed by the ALRC that it is unnecessary to provide expressly that the purpose of collection should be lawful. A collection principle based on UPP 2.1 implies that the activities and functions pursuant to which agencies and organisations may collect personal information must be lawful, and such collection pursuant to those functions must be lawful.

2.16 The Commission, however, differs with the ALRC regarding the provision of a test for the necessity of the collection. The Commission is of the view that UPP 2.1 should — like s 18 of PPIPA — provide that the collector of the collection of personal information may collect the information if the collection is reasonably necessary for one or more of its functions or activities. Further, there should be express provision (not necessarily in UPP 2.1) that an objective test is to be used in determining whether the collection is reasonably necessary under the circumstances. An express provision would give clarity and certainty for agencies that they may only collect personal information that is necessary for their functions or activities, not information that they reasonably believe may be necessary for their functions or activities. It should induce them to give judicious consideration to whether the personal information they collect is genuinely necessary for their functions or activities. Further, an express provision would better inform individuals about the test by which their personal information may be legitimately collected, which may enable them to challenge any inappropriate collection.

2.17 The Personal Information Protection Act of the Canadian province of Alberta offers a reform model on this matter. Section 11 of this Act states the principle on the collection of personal information in the following manner:

(1) An organization may collect personal information only for purposes that are reasonable.

(2) Where an organization collects personal information, it may do so only to the extent that is reasonable for meeting the purposes for which the information is collected.

Where in this Act anything or any matter

(a) is described, characterized or referred to as reasonable or unreasonable, or

(b) is required or directed to be carried out or otherwise dealt with reasonably or in a reasonable manner,

the standard to be applied under this Act in determining whether the thing or matter is reasonable or unreasonable, or has been carried out or otherwise dealt with reasonably or in a reasonable manner, is what a reasonable person would consider appropriate in the circumstances.

RECOMMENDATION 1

UPP 2.1 should be modified as follows:

2.1 An agency or organisation must not collect personal information unless it is reasonably necessary for one or more of its functions or activities.

RECOMMENDATION 2

The legislation containing the UPPs should provide that, subject to express contrary intention, where a matter in the UPPs
• is described, characterised or referred to as reasonable or unreasonable, or
• is required or directed to be carried out or otherwise dealt with reasonably or in a reasonable manner,
the standard to be applied in determining whether the matter is reasonable or unreasonable, or has been carried out or otherwise dealt with reasonably or in a reasonable manner, is what a reasonable person would consider appropriate in the circumstances.

2.20 The ALRC’s recommended UPP on collection contains the following provision on the means and manner of collecting personal information:

An agency or organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.¹⁵

2.22 In NSW, PPIPA contains the following relevant provisions:

• Section 8(2) provides that a public sector agency must not collect personal information by any unlawful means.
• Section 11(b) provides that, if a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.

2.24 UPP 2.2 should be adopted in NSW. It would simplify the NSW provisions and strengthen the safeguards on the collection of personal information by requiring that the means used for such collection be lawful as well as fair.

COLLECTION FROM THE INDIVIDUAL CONCERNED

The ALRC’s recommendations

2.25 The current Principles on collection of personal information (Principles 1-3) do not impose a requirement on agencies to collect information directly from an individual.

2.26 In contrast, NPP 1 requires organisations, where reasonable and practicable, to collect personal information about an individual only from that individual.

2.27 The ALRC, in Report 108, recommended that the collection principle should require agencies and organisations, where reasonable and practicable, to collect personal information about an individual only from the individual concerned.¹⁷ This recommendation is embodied in UPP 2.3.

2.28 It reasoned that its recommendation would increase the likelihood that personal information collected will be accurate, relevant, complete and up-to-date. Further, it said that the recommendation would give individuals an opportunity to participate in the collection process.¹⁸

2.29 The ALRC emphasised that a requirement to collect personal information about an individual exclusively from the individual concerned would apply only “where reasonable and practicable”. It indicated that there would be many circumstances where it will not be reasonable or practicable to collect personal information directly from the individual concerned. It will not be reasonable and practicable, for example, to collect personal information directly from an individual where direct collection would prejudice the purpose of collection, such as where a law enforcement body is investigating a breach of a criminal law. It said that the requirement is not intended to limit the coercive information-gathering powers of agencies, or the exercise of their intelligence, investigative and compliance functions.¹⁹

2.30 The ALRC also recommended that the Office of the Privacy Commissioner, Australia (“OPC”) should develop and publish guidance to clarify when it would not be reasonable and practicable to collect personal information about an individual only from the individual concerned. In particular, the guidance should address collection:

• of personal information by agencies pursuant to the exercise of their coercive information-gathering powers or in accordance with their intelligence-gathering, investigative, and compliance functions;
• of statistical data;
• of personal information in circumstances in which it is necessary to verify an individual’s personal information;
• of personal information in circumstances in which the collection process is likely to, or will, disclose the personal information of multiple individuals; and
• from persons under the age of 18, persons with a decision-making incapacity and those authorised to provide personal information on behalf of the individual.²⁰

2.31 Section 9 of PPIPA, which is titled “Collection of personal information directly from individual”, states:

A public sector agency must, in collecting personal information, collect the information directly from the individual to whom the information relates unless:

(a) the individual has authorised collection of the information from someone else, or

(b) in the case of information relating to a person who is under the age of 16 years — the information has been provided by a parent or guardian of the person.

2.33 HPP 3, which is titled “Collection to be from individual concerned”, provides:

(1) An organisation must collect health information about an individual only from that individual, unless it is unreasonable or impracticable to do so.

(2) Health information is to be collected in accordance with any guidelines issued by the Privacy Commissioner for the purposes of this clause.²¹

Submissions

2.35 In CP 3, the Commission proposed that (assuming NSW would adopt a single privacy Act containing the privacy principles) the principle governing collection of personal information directly from an individual should contain the two exceptions currently provided for in s 9 of PPIPA, as well as the third exception currently provided for in HPP 3, namely, that information must be collected from the individual unless it is “unreasonable or impractical to do so”.²²

2.36 The Australian Privacy Foundation and the Cyberspace Law and Policy Centre supported this proposal.²³

2.37 The NSW Department of Community Services (“DOCS”) and the NSW Department of Ageing, Disability and Home Care were particularly supportive of the proposed “unreasonable and impractical” exception. DOCS noted that such an exemption is found in NPP 1 and in the privacy principles for public sector agencies in Victoria, Tasmania and the Northern Territory.²⁴

2.38 There was, however, apprehension about the scope of the “unreasonable and impracticable” qualification. The Inner City Legal Centre (“ICLC”) expressed concern that the proposed exception could be “interpreted expansively and would be guided by the subjective operational needs of the organisation in question rather than an objective application”. It suggested that the proposed qualification be recast in the following manner:

unreasonable or impractical to do so by reasons of the person’s incapacity to give the information or consent to indirect collection, and the information is necessary for the provision of beneficial services, diagnosis, treatment or care in respect of the individual.

2.40 The Public Interest Advocacy Centre also said that the proposed “reasonable and practicable” exception may be too broad. It preferred the concept of “unjustifiable hardship” under anti-discrimination laws, which it considered to be the less permissive and more objective. It suggested that the collection principle provide that personal information may be collected from the individual unless it would impose unjustifiable hardship on the collector.²⁶

2.41 The NSW Minister for Housing underlined the importance of the exception on authorisation by the individual under s 9 of PPIPA. She considered it appropriate for personal information to be collected from a third party if the person to whom the information relates consents. She said that there are many instances where her Department needs to collect personal information indirectly, for example, where the Department requires information from a medical practitioner about the mental health of an applicant for priority housing.²⁷ The consent exception allows the Department to ask in the application form whether the applicant consents to the Department obtaining relevant personal information from other persons, agencies or organisations.

The Commission’s conclusions

2.42 Section 9 of PPIPA imposes two bright-line tests. If either of those tests is satisfied, no further test of either unreasonableness or impracticability of collecting the information from the individual must be satisfied; that is, the agency simply has power, even if it would be neither unreasonable nor impracticable to collect the information directly from the individual.

2.43 In comparison, UPP 2.3 imposes no bright-line test but rather two tests (unreasonableness and impracticability), each of which requires the making of an evaluative judgment. Each of those tests has the potential to empower the collection of personal information otherwise than from the individual to whom the information relates in circumstances where the collection is not empowered by s 9 of PPIPA. However, neither of those tests will necessarily be satisfied where the individual concerned has authorised the collection of the information from someone else or is under the age of 16 years.

2.44 The ALRC recommended that the OPC issue guidance on the unreasonableness and impracticability tests. The issue that arises is whether the two exceptions under s 9 of PPIPA can be covered through the recommended OPC guidance. This would depend on whether the recommended OPC guidance would be binding or non-binding.

2.45 The nature of recommended OPC guidance is not clear but it would appear that they are intended to be non-binding.²⁸ In Report 108, the ALRC distinguished “guidelines” from “rules”. It described guidelines as providing a “voluntary guide on ways to achieve the outcome set by the relevant privacy principle, without compelling directly a particular course of action”. In contrast, rules are binding and their breach “constitutes an interference with privacy”. ²⁹ It maintained this distinction in its recommendations by using the term “rules” when it wants the OPC to issue guidance that is binding.³⁰ The fact that the ALRC did not use the word “rules” in its recommendation for the OPC to issue guidance on the unreasonable and unreasonable tests under UPP 2.3 indicates that such guidance is intended to be non-binding. Consequently, the OPC guidance would provide no guarantee that information could be collected from third parties in circumstances now covered by s 9 of PPIPA.

2.46 The Commission is of the view that the exception in s 9 of PPIPA relating to an individual authorising an agency to collect his or her personal information from someone else should be included as one of the exceptions in UPP 2.3. Individuals should be given autonomy with respect to how their personal information may be collected. Where, for example, an individual decides to acquiesce to a request for his or her personal information to be collected from someone else, or simply considers such mode of collection convenient, the law should sanction such collection, even if it would be reasonable or practicable for the agency or organisation to collect the information from the individual. The main concern of the ALRC in limiting the number of exceptions in UPP 2 and other UPPs is to ensure that the privacy principles are not too detailed and prescriptive so as to remain consistent with the high-level principles approach it adopted in crafting the UPPs.³¹ The Commission considers that the addition of the one more exception in UPP 2.3 will not detract from the ARLC’s approach.

2.47 The other exception in s 9 of PPIPA — personal information relating to a person who is under the age of 16 years — need not be added as an exception to UPP 2.3 because it can be dealt with through the unreasonable or impracticable exception. An example might be where an agency or organisation needs information relating to a 13-year old child, who does not have the legal capacity to disclose the information.³² It is arguable that since it is legally impracticable to collect the information from the child, collection from someone else (that is, a person having parental responsibility for the child) would be authorised under UPP 2.3.

RECOMMENDATION 3

UPP 2.3 should be revised to read as follows:

2.3 An agency or organisation may collect personal information otherwise than directly from the individual to whom the information relates when either:

• the individual has authorised the collection of the information from someone else; or
• collection from the individual is not reasonable or practicable under the circumstances.

2.48 Agencies and organisations very often receive unsolicited personal information. This occurs when personal information is given to an agency or organisation that did not take active steps to collect that information.

The ALRC’s recommendations

2.49 At the Commonwealth level, the Principles, to some limited extent, distinguish between the obligations imposed on an agency when soliciting personal information, on the one hand, and when receiving unsolicited personal information, on the other hand. Principles 2 and 3 impose certain obligations on an agency only where it has solicited personal information. The obligations in Principle 1, however, do not refer expressly to solicited information and were intended to apply where an agency receives unsolicited material, for example, from sources such as a ministerial letter or a tip-off from an informer.³³

2.50 The NPPs do not distinguish between obligations of an organisation relating to solicited and unsolicited information.

2.51 The ALRC, in Report 108, recommended that the collection principle should provide that, where an agency or organisation receives unsolicited personal information, it must either:

• if lawful and reasonable to do so, destroy the information as soon as practicable without using or disclosing it except for the purpose of determining whether the information should be retained; or
• comply with all relevant provisions in the UPPs that apply to the information in question, as if the agency or organisation had taken active steps to collect the information.³⁴

2.53 The ALRC considered that use or disclosure for the purpose of determining whether the information should be retained would be permissible under the recommendation. For example, an agency or organisation may need to use or disclose the information for the purpose of obtaining advice on whether to retain or destroy it.³⁶

2.54 The ALRC said that the above approach should prevent the expansion of the range of personal information that an agency or organisation may lawfully retain, use and disclose merely because it has taken no steps to collect the information. It emphasised that the requirement that an agency or organisation is only permitted to collect personal information that is “necessary for one or more of its functions or activities” would also apply to unsolicited personal information.³⁷

2.55 The ALRC acknowledged the concerns raised in some of the submissions regarding potential difficulties in complying with the obligations imposed by the privacy principles in respect of certain unsolicited information. Some submissions, for example, expressed concerns about complying with the notification principle, which imposes obligations on agencies and organisations to notify, or otherwise ensure, that an individual is aware of certain matters concerning the collection of his or her personal information. This is of particular relevance to agencies that accept and use unsolicited personal information through anonymous and confidential “tip-offs” that may be useful in investigations of offences and other unlawful activities.³⁸

2.56 The ALRC, however, emphasised that the requirement to comply with relevant privacy principles includes a consideration of any qualifications or exceptions to those principles. It noted, for example, that the obligation to notify, or otherwise ensure, that an individual is aware of certain matters concerning the collection of his or her personal information is limited to taking such steps, if any, that are reasonable in the circumstances. It expressed the view that, in some circumstances, it will be reasonable for an agency or organisation to take no steps to notify an individual about the collection of personal information, including the receipt of unsolicited confidential “tip-offs” relating to unlawful activity.³⁹

2.57 The ALRC also recommended that the OPC develop and publish guidance about the meaning of “unsolicited” in the context of the collection principle.⁴⁰

The law in NSW

2.58 Section 4(5) of PPIPA provides that for its purposes, “personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited”.

2.59 Section 10 of HRIPA provides that, for its purposes, “health information is not collected by an organisation if the receipt of the information by the organisation is unsolicited.”⁴¹

2.60 Neither PPIPA nor HRIPA define the meaning of “collected” or “collection”. Nor do they specify which IPPs or HPPs, if any, apply to unsolicited personal information. Further, there is a lack of consensus on this matter among the cases decided by the NSW Administrative Decisions Tribunal (“the Tribunal”).⁴²

2.61 In KD v Registrar, New South Wales Medical Board, the Tribunal held that the personal information that KD included in her complaint lodged with the NSW Medical Board against a doctor was unsolicited.⁴³ The Tribunal ruled that s 8, 9, 10 and 11 of PPIPA, all of which relate to collection of personal information, had no application to unsolicited personal information.⁴⁴

2.62 The NSW Privacy Commissioner made a submission to the Tribunal arguing that the other IPPs in s 12-19 should be applied to personal information held by agencies, irrespective of whether that information was collected. He submitted that once an agency “holds” personal information, s 12-19 come into play.⁴⁵ The Tribunal, however, held that, while s 19 (special restrictions on disclosure of personal information) catches all personal information held by an agency, s 17 (limits on the use of personal information)⁴⁶ and most of the provisions of s 18 (limits on disclosure of information) apply only to information that is “collected”, and accordingly do not apply to unsolicited information.⁴⁷

2.63 However, the Tribunal distinguished sub-section 18(1)(b), which unlike s 18(1)(a), does not refer to “collected information”.⁴⁸ The Tribunal held that s 18(1)(b) ought to be given wide interpretation to make it applicable to both collected and unsolicited personal information.

2.64 The decision in KD v Registrar, NSW Medical Board may be compared with other Tribunal decisions that have construed the term “collected” in s 4(5) of PPIPA and s 10 of the HRIPA broadly, thus enabling the application of the privacy principles to personal information that was not actively collected by agencies or organisations.

2.65 In OA v New South Wales Department of Housing,⁴⁹ the NSW Department of Housing (“the Department”) received information from members of the public alleging that OA, a public housing tenant, was sub-letting the unit provided to him by the Department while living elsewhere. Acting on this information, an officer of the Department interviewed OA about the allegations. OA denied the allegations and lodged with the Tribunal an application for review of the Department under PPIPA.

2.66 The Tribunal held that:

If the agency … decides to “hold” information that was originally received as an unsolicited communication, then the principles in the Act that have to do with the “holding” of information come into play, as do the principles in relation to “use” and “disclosure” if action of that kind occurs.⁵⁰

A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.

2.69 The Tribunal also applied s 17 of PPIPA, which provides:

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:

(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

2.71 In further contrast to the judgment in KD v Registrar, NSW Medical Board, the Tribunal in OA v New South Wales Department of Housing applied the collection principles in s 8 (collection of personal information for lawful purposes) and 9 (collection of personal information directly from individual) to personal information that was not actively solicited by the agency. It found, however, that there was insufficient evidence to support OA’s allegation that the Department breached s 8, and the Department’s Privacy Code of Conduct allowed it to depart from the provisions of s 9 when receiving complaints about the conduct of its tenants.⁵³

2.72 The case of AW v Vice Chancellor, University of Newcastle⁵⁴ also applied some privacy principles to unsolicited personal information. It involved a student (AW) who complained to the complaints manager of the University of Newcastle (“the university”), Ms Foster, about alleged harassment from fellow students and university staff. AW disclosed his HIV status in his complaint. Subsequently, AW lodged with the Tribunal an application for review of the conduct of the university, in particular the disclosure by Ms Foster of AW’s HIV status to other university officials, which was done in the course of the investigations relating to AW’s complaint.

2.73 The Tribunal examined whether the “use” by Ms Foster of AW’s personal information breached s 17 of the PPIPA and HPP 10 of the HRIPA, both of which prohibit the use of personal information for a purpose other than that for which it was collected, subject to certain exceptions. The Tribunal noted that these principles, by their terms, require that use be considered in the context of the purpose for which information was “collected”. It then construed the meaning of “collected” in the following manner:

While the information in this matter was not “collected” for the purposes of either section 10 of the Health Records Act or section 4(5) of the Privacy Act, decisions of the Tribunal have read the word “collected” in this context more broadly, to mean “obtained”.⁵⁵

Submissions

2.75 In CP 3, the Commission asked whether any or all of the IPPs and HPPs should apply to unsolicited personal information.⁵⁷

2.76 The Public Interest Advocacy Centre and the Australian Privacy Foundation both recommended that all of the IPPs and the HPPs should apply to all personal information, however obtained, to the maximum extent practicable in the circumstances.⁵⁸ The Public Interest Advocacy Centre said that the distinction between solicited and unsolicited personal information adds unnecessary complexity to the current law. ⁵⁹

2.77 The NSW Law Society, the HIV/AIDS Legal Centre, and the Cyberspace Law and Policy Centre said that all the IPPs and HPPs should apply to unsolicited personal information except those in respect of collection.⁶⁰ The HIV/AIDS Legal Centre argued that:

where an organisation chooses to retain “unsolicited information”, and where that information continues to fall within “personal information”, it is difficult to ascertain policy reasons to exempt this information from any of the IPPs, barring possibly IPP 1 & 2 (information collected to be for a lawful purpose & directly relevant; information collected to be from individual directly).⁶¹

2.78 As noted above, there is a lack of clarity under current legislation and case law about whether the IPPs and HPPs (and which, if any) apply to unsolicited personal information. There is a need for legislation to provide certainty and clarity on the matter. For this purpose, the Commission supports UPP 2.5, which outlines the options that agencies have in dealing with unsolicited information.

2.79 Under UPP 2.5, an agency is given a reasonable time within which to decide whether it can lawfully collect the unsolicited information, and whether it wishes to retain that information. If the agency decides to keep the information, it will have to comply with all relevant provisions in the privacy principles as if it had taken active steps to collect the information. If the agency decides not to retain the information, it will have to destroy the information as soon as practicable without using or disclosing it, if it is lawful and reasonable to do so. However, use or disclosure of the information for the purpose of determining whether the agency can and should retain it would be permissible, for example, where an agency seeks advice on whether to hold or destroy it.⁶²

2.80 As observed by the ALRC, the requirement in UPP 2.5 for agencies to comply with relevant privacy principles entails a consideration of any qualifications or exceptions to those principles. For example, the obligation to notify an individual of certain matters concerning the collection of his or her personal information (such as the fact of such collection, the purpose of collection, etc) is limited to taking such steps, if any, that are reasonable in the circumstances. Such limitation includes taking no steps, for example, where notification would defeat the purpose of the collection, such as where it would prejudice the enforcement of laws.⁶³

SENSITIVE INFORMATION

2.81 This section examines UPP 2.5 and UPP 2.6, which have been formulated for the purpose of regulating the collection of sensitive information. These UPPs provide:

2.5 In addition to the other requirements in UPP 2, an agency or organisation must not collect sensitive information about an individual unless:

(a) the individual has consented;

(b) the collection is required or authorised by or under law;

(c) the collection is necessary to prevent or lessen a serious threat to the life or health of any individual, where the individual to whom the information concerns is legally or physically incapable of giving or communicating consent;

(d) if the information is collected in the course of the activities of a non-profit organisation—the following conditions are satisfied:


(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities; and

(ii) at or before the time of collecting the information, the organisation undertakes to the individual to whom the information concerns that the organisation will not disclose the information without the individual’s consent;


(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim;

(f) the collection is necessary for research and all of the following conditions are met:


(i) the purpose cannot be served by the collection of information that does not identify the individual or from which the individual would not be reasonably identifiable;

(ii) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the collection;

(iii) a Human Research Ethics Committee that is constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research (2007), as in force from time to time, has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act; and

(iv) the information is collected in accordance with Research Rules issued by the Privacy Commissioner; or


(g) the collection is necessary for the purpose of a confidential alternative dispute resolution process.

2.6 Where an agency or organisation collects sensitive information about an individual in accordance with 2.5(f), it must take reasonable steps to ensure that the information is not disclosed in a form that would identify the individual or from which the individual would be reasonably identifiable.

Commonwealth

2.82 Section 6(1) of the Privacy Act defines sensitive information as information or an opinion about an individual’s:

• racial or ethnic origin;
• political opinions;
• membership of a political association;
• religious beliefs or affiliations;
• philosophical beliefs;
• membership of a professional or trade association;
• membership of a trade union;
• sexual preferences or practices;
• criminal record;
• health information; or
• genetic information that is not otherwise health information.

10.1 An organisation must not collect sensitive information about an individual unless:

(a) the individual has consented; or

(b) the collection is required by law; or

(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:


(i) is physically or legally incapable of giving consent to the collection; or

(ii) physically cannot communicate consent to the collection; or


(d) if the information is collected in the course of the activities of a non-profit organisation — the following conditions are satisfied:

(i) the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;

(ii) at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual’s consent; or


(e) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

NSW

2.85 In NSW, PPIPA does not define sensitive information. Nevertheless, s 19 of PPIPA refers to “an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities”. These are similar to some of the information identified in s 6(1) of the Privacy Act as being sensitive information.

2.86 In contrast to NPP 10.1 (which regulates the collection of sensitive information by organisations) s 19 of PPIPA puts restrictions on disclosure of the categories of personal information it covers.⁶⁴ There are no other provisions in PPIPA that provide special rules relating to the collection of the categories of personal information enumerated in s 19.

2.87 HRIPA does not contain any provision that is comparable to NPP10.1 or s 19 of PPIPA.

Regulating the collection of sensitive information

2.88 The ALRC examined whether agencies covered by the Privacy Act should also be subject to restrictions in collecting sensitive information, and if so, where such restrictions should be located.

2.89 The ALRC recommended that the UPPs should set out requirements that both agencies and organisations must observe when collecting personal information that is defined as sensitive information for the purposes of the Privacy Act. Further, its recommendation stated that the relevant requirements should be located in the collection principle.⁶⁵

2.90 The ALRC declared that there are strong policy reasons for regulating the collection of sensitive information by both agencies and organisations. It said that the categories of personal information that are defined as sensitive information need to be given a higher level of protection than other forms of personal information because they are highly personal in nature and their misuse can be quite damaging to the individual concerned. They can, for example, be used as a basis for unjustified discrimination and other forms of mistreatment.⁶⁶

2.91 With respect to the location of the provisions on the collection of all sensitive information, the ALRC argued that it would be inappropriate to regulate the collection of sensitive information in a separate principle because it may “convey the incorrect impression that there is a completely separate regime applicable to sensitive information at all stages of the information cycle”.⁶⁷ As a general rule, the UPPs apply to all personal information, including sensitive information. However, there are specific provisions for sensitive information, such as those relating to collection, use and disclosure,⁶⁸ and direct marketing.⁶⁹

2.92 The Commission supports the ALRC’s recommendation. It agrees with the view expressed by the ALRC that the categories of personal information defined under the Privacy Act as sensitive information deserve a greater level of protection than other forms of personal information because they are highly personal in nature and the individuals to whom they relate would generally have a reasonable expectation that they should remain private. The recommendation by the ALRC to regulate the collection of sensitive information through specific provisions in the collection principle is of particular significance to NSW because, as indicated above, PPIPA and HRIPA do not currently have provisions regulating the collection of sensitive information. The Commission considers it critical that the protection given to sensitive information should commence from the collection stage.

Prohibiting collection as the starting point

2.93 The ALRC used NPP 10.1 as the main basis for its regulatory approach to the collection of sensitive information, which involves prohibition as the starting point subject to well-defined exceptions. The following sections examine the specific circumstances when sensitive information may be collected pursuant to UPP 2.5.

Consent

2.94 UPP 2.5(a) allows the collection of sensitive information where the individual to whom the information relates has consented.

2.95 This is similarly worded to NPP 10.1(a). There was a suggestion from privacy advocates that UPP 2.5(a) should, as an improvement on NPP 10.1(a), require express consent.⁷⁰ However, the ALRC took the position that a requirement of express consent would be impracticable and too prescriptive, particularly in relation to health information.⁷¹ It noted that the OPC’s Guidelines on Privacy in the Private Health Sector recognise that there are situations where it is reasonable for health service providers to rely on the implied consent of patients. The pertinent provisions of these Guidelines provide:

As a general rule, if a health service provider needs or wants consent and is in doubt about whether an individual is giving consent or not, it is preferable to seek express consent.

Implied consent – there are situations when health service providers may reasonably rely on implied consent by individuals to handle health information in certain ways.

For example, an individual presents to a medical practitioner, discloses health information, and this is written down by the practitioner during the consultation – this will generally be regarded as giving implied consent to the practitioner to collect the information for certain purposes. The extent of these purposes will usually be evident from the discussion during the consultation.

Similarly, if a medical practitioner collects a specimen to send to a pathology laboratory for testing, it would be reasonable to consider that the individual is giving implied consent to the passing of necessary information to that laboratory.

Where there is open communication and information sharing between the health service provider and the individual, consent issues will usually be addressed during the course of the consultation. If the discussion has provided the individual with an understanding about how their health information may be used, then it would be reasonable for the health service provider to rely on implied consent.⁷²

2.97 The Commission agrees with the ALRC that collectors of sensitive information should be able to rely on the implied consent of the individual concerned. The OPC guidelines quoted above give illustrations of circumstances where it would be more practicable for both medical health practitioners and patients if reliance can be had on implied consent. The guidelines also underscore the preferred approach of seeking express consent when in doubt whether or not the individual is giving consent. Finally, they indicate that, at least with respect to health information, the implied consent must also be the result of an informed decision.

2.98 Attention should be drawn to the ALRC’s recommendation that the OPC develop and publish guidance on consent that addresses express and implied consent as it applies in various contexts.⁷³ The Commission agrees with the ALRC’s contention that guidance from the OPC provides a more flexible mechanism for dealing with this issue,⁷⁴ and endorses the adoption of such an approach in NSW. It considers the provisions on implied consent in the OPC’s Guidelines on Privacy in the Private Health Sector to be a good model that could be expanded to cover situations relating to sensitive information other than health information. The guidelines should, however, make it clear that a collector of sensitive information should endeavour to obtain express consent whenever practicable before relying on implied consent.

Collection is required or authorised by or under law

2.99 UPP 2.5(b) allows the collection of sensitive information where this is required or authorised by or under law.

2.100 This provision may be compared with NPP 10.1(b), which allows the collection of sensitive information where it is required by law. The ALRC considered the provision in NPP 10.1(b) to be too narrow because it ostensibly does not allow the collection of sensitive information when authorised by law. The ALRC said that the wording of UPP 2.5(b) is particularly relevant to agencies that are authorised by law to collect sensitive information as a means of assisting them perform their statutory functions, such as those relating to law enforcement and the administration of government programs.⁷⁵

2.101 The ALRC also said that the collection of sensitive information need not be specifically authorised by law. It made the observation that information-gathering powers of agencies do not usually refer specifically to sensitive information. Consequently, in its view, an exception that permits the collection of sensitive information only where it is specifically authorised by or under law would be too restrictive.⁷⁶

2.102 The Commission supports UPP 2.5(b) and does not have anything to add to the ALRC’s reasons and commentary.

Emergency situations

2.103 UPP 2.3(c) allows the collection of sensitive information where it is necessary to prevent or lessen a serious threat to the life or health of any individual, and where the individual to whom the information relates is legally or physically incapable of giving or communicating consent.

2.104 The current requirement under NPP 10.1(c) requires the threat to the life or health of any individual to be both serious and imminent. The ALRC considered such a requirement to be too difficult to satisfy and decided that it should be relaxed so that the exception in UPP2.3(c) could be used where a threat is serious, but not necessarily imminent. It said that this would enable an agency or organisation to take preventative action to avert a threat from becoming a full-blown crisis. Further, it said that the formulation in UPP 2.3(c) strikes an appropriate balance between protecting the privacy rights of an individual and the public interest in preventing threats to life and health.⁷⁷

2.105 One submission to the ALRC suggested replacing the word “imminent” with another qualification that suggests likelihood, such as “probable” or “likely”. The ALRC decided that this was unnecessary because in its view, “[i]f it is improbable that a threat will eventuate, then the threat cannot be considered serious”.⁷⁸

2.106 The Commission agrees with the ALRC that it should be enough for a threat to be serious to justify the collection of sensitive information. A threat may not be imminent but may be of a level of seriousness that a public interest exists in collecting sensitive information. An example might be where an animal disease has infected a small number of people, some of whom have died, in a few countries. There are concerns among health authorities that the disease has a potential to become a human pandemic but it has so far been confined to a few specified countries and has not yet been documented in Australia. It has not yet been included in the list of notifiable diseases in relevant legislation⁷⁹ and is therefore not covered by the provision in UPP 2.5(b) allowing the collection of sensitive information where it is required by law. Because the disease in question may have a lengthy incubation period, has not yet reached Australia, and there is a chance that it could be contained in the few countries where it has been detected, it might be argued that, although it is a serious threat, it is not yet an imminent threat to Australia. However, its potential to reach Australia and become a pandemic arguably poses a serious threat to the health of a large number of individuals. This should be sufficient to justify the collection of relevant health information (for example, screening the health of individuals who have recently travelled to countries where the condition has been detected and who have certain symptoms) to enable authorities to monitor the situation, take steps to prevent a health crisis from happening, and formulate a management plan in case the disease reaches Australia.

2.107 The Commission also agrees with the position taken by the ALRC that it is unnecessary to specify that the serious threat should also be “probable” or “likely”. The determination of the seriousness of a threat will usually involve an assessment of the probability of it happening.

Non-profit organisations

2.108 UPP 2.5(d) allows the collection of sensitive information if the information is collected in the course of the activities of a non-profit organisation and the following conditions are present:

• the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities; and
• at or before the time of collecting the information, the organisation undertakes to the individual to whom the information concerns that the organisation will not disclose the information without the individual’s consent.

2.110 There was one suggestion from the submissions that this exception be redrafted to allow the collection of sensitive information “if the information is collected in the course of the lawful activities of a non-profit organisation that has aims relating to sensitive information (as defined in the [Privacy] Act)”.⁸⁰ The ALRC said that concerns about the drafting of this exception will best be addressed by the OPC.⁸¹

2.111 The ALRC also said that the definition of “non-profit organisation” should not be located in the collection principle but should be situated in Pt II of the Privacy Act, which deals with interpretation of terms.⁸² Currently, the definition of this term is found in the principle dealing with sensitive information.⁸³ The ALRC argued that it is logical to locate the definition of this term with the other definitions in the Privacy Act. Further, it said that this approach would simplify the provisions of the collection principle relating to sensitive information.⁸⁴

2.112 The Commission supports UPP 2.5(d) and does not have further comments or suggestions. We note that this particular exception will not have relevance in NSW since PPIPA does not cover organisations.

Legal and equitable claims

2.113 UPP 2.5(e) allows the collection of sensitive information where it is necessary for the establishment, exercise or defence of a legal or equitable claim.

2.114 This is based on, and similarly worded to, NPP 10.1(e). The ALRC did not recommend any changes to the wording of NPP 10.1(e). It said that it “did not receive sufficient feedback from stakeholders to enable it to assess properly the merits and consequences of broadening the exception”.

2.115 The Commission supports UPP 2.5(e).

Research

2.116 There is no provision in NPP 10.1 allowing the collection of sensitive information for research purposes. However, NPP 10.3 allows organisations to collect health information (which is a category of sensitive information) without the consent of the individual concerned where the collection is necessary for purposes of research, or the compilation or analysis of statistics⁸⁵ and the following conditions are present:

• it is relevant to public health or safety;
• the purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained;
• it is impracticable for the organisation to seek the individual’s consent to the collection; and
• the information is collected as required by law; or in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or in accordance with guidelines issued by the National Health and Medical Research Council (“NHMRC”) and approved by the OPC under s 95A of the Privacy Act.

2.118 The ALRC recommended the expansion of the research exception beyond health and medical research to apply to human research generally. It reasoned that other areas of research, such as sociology and criminology, should be supported because of their potential to lead to evidence-based policy that could benefit the community. Further, it argued that research is increasingly becoming multi-disciplinary and that non-health information is often desirable or necessary in some health and medical research.⁸⁶

2.119 The ALRC used NPP 10.3 and NPP 10.4 as the basis for UPP 2.5(f) and UPP 2.6, which are the model privacy principles on the collection of sensitive information for the purpose of research.

2.120 UPP 2.5(f) allows the collection of sensitive information for the purpose of research if all these conditions are met:

• the purpose cannot be served by the collection of information that does not identify the individual, or from which the individual would not be reasonably identifiable;
• it would be unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the collection;
• a Human Research Ethics Committee (“HREC”) that is constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research (2007), has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act; and
• the information is collected in accordance with research rules issued by the OPC.

2.122 It noted that the guidelines that the NHMRC may issue under s 95 of the Privacy Act for the protection of privacy in the conduct of medical research contain a reasonableness test; that is, research may proceed without consent when it is reasonable to do so. The ALRC gave the view that “[w]hile it might be practicable to seek the consent of research participants in a particular case, it would not be reasonable to do so if this would have an unacceptable impact on the integrity and validity of the research”. It concluded that both the reasonable and impracticable tests should be incorporated in UPP 2.5.⁸⁸ Hence, one of the requirements for the collection of sensitive information under UPP 2.5 is that it would be unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the collection.

2.123 The second change relates to the new requirement for a public interest review by HRECs. This embodies the ALRC’s view about the need to balance the public interest in the proposed research and the interest in protecting the privacy of individuals subject of the research. It said that:

If, taking all relevant factors into account, the public interest in one course of action outweighs the public interest in another course of action, the appropriate course of action is clear. In particular — in the research environment where a range of other safeguards are in place — if the public interest in a particular research proposal going forward outweighs the public interest in maintaining the level of privacy protection provided by the privacy principles, then the research should be allowed to proceed.⁸⁹

2.125 The third change is the provision that the sensitive information must be collected in accordance with research rules issued by the OPC. In contrast to this provision, the current provision states that the health information may be collected if, in addition to the other requirements:

• the information is collected as required by law;
• it is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality that bind the organisation; or
• it is collected in accordance with guidelines issued by the NHMRC and approved by the OPC approved under s 95A of the Privacy Act.

2.127 The ALRC decided to dispense with the second alternative requirement because it has never been used.⁹²

2.128 The ALRC recommended the revision of the third alternative requirement so that the collection must now be in accordance with research rules issued by the OPC.

2.129 The first thing to note about the revised requirement is the use of the term “rules” instead of “guidelines”. This is to underline the fact that the research rules to be issued by the OPC will be binding.⁹³

2.130 The ALRC said that, since the research exception to collection of sensitive information is being broadened to cover all human research and not just health and medical research, it would no longer be appropriate for the NHMRC to issue the research rules.⁹⁴

2.131 Further, it said that the research exceptions to collection and use of sensitive information would have the effect of allowing the use of such personal information in ways that would normally breach the UPPs. It argued that, in this respect, the research rules issued under those exceptions are similar in effect to Public Interest Determinations, which are made by the OPC pursuant to its powers under the Privacy Act.⁹⁵ It said that the OPC’s involvement is required where there are changes to the level of protection provided by the UPPs.⁹⁶

2.132 With respect to the requirement in NPP 10.4, the ALRC recommended that its wording be modified so that an agency or organisation that collected sensitive information under the research exception should no longer be required to take reasonable steps to “permanently de-identify” information before it is disclosed. Instead, under UPP 2.6, where an agency or organisation collects sensitive information about an individual in accordance with the research exception, it must “take reasonable steps to ensure that the information is not disclosed in a form that would identify individuals or from which individuals would be reasonably identifiable”.

2.133 The ALRC argued that the new provision is more consistent with its recommended definition of personal information,⁹⁷ which is “information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual”.⁹⁸

2.134 Reasonable steps under UPP 2.6 would include employing commonly-used research techniques that are intended to protect confidentiality, such as “data suppression” where certain research data, such as the personal information of research subjects, are kept under wraps.⁹⁹

2.135 The Commission supports UPP 2.5(f) and UPP 2.6 and has no comments or suggestions.

Alternative dispute resolution

2.136 UPP 2.5(g) allows the collection of sensitive information where it is necessary for the purpose of a confidential alternative dispute resolution (“ADR”) process.

2.137 This is a new provision that the ALRC recommended in recognition of the critical role of alternative dispute resolution in the effective, efficient and fair resolution of disputes. The ALRC also acknowledged that disclosure of all relevant information by the parties to an ADR process, including sensitive information about themselves and relevant third parties, is an important aspect of ADR processes.¹⁰⁰

2.138 The National Alternative Dispute Resolution Advisory Council (NADRAC), in its submission to the ALRC, underscored the significance of information sharing by the parties to ADR processes. The NADRAC commented that:

ADR processes are aimed at getting each party to outline the full context of the dispute from their perspectives with a view to identifying the underlying interests of each party … In the course of ‘telling their story’ many parties will include information that seems to them to be important and which may help to indicate how they came to their position but which would be deemed irrelevant in legal proceedings. The accounts will often include personal information including sensitive information about themselves and others whom the person considers to be directly or indirectly involved.¹⁰¹

2.140 The ALRC therefore recommended that agencies and organisations be permitted to collect sensitive information under the collection principle, and to use and disclose personal information under the use and disclosure principle, where the collection, use or disclosure is necessary for the purpose of an ADR proceeding.¹⁰³

2.141 UPP 2.5(g) contains a qualification that the relevant ADR proceeding must be confidential in nature. The ALRC considered that the confidentiality requirements attached to ADR processes are the best way of safeguarding personal information collected through the recommended ADR exception. It gave the view that, provided the parties to the dispute and the ADR provider are bound by legal or contractual confidentiality obligations, any personal information that is collected pursuant to UPP 2.5(g) will be adequately protected, since its use or disclosure will be restricted to the particular ADR proceeding in which it was collected, unless the parties consent to its use or disclosure for other purposes, or another relevant exception applies.¹⁰⁴

2.142 The ALRC said that the OPC should, in consultation with NADRAC, formulate guidance on what constitutes confidentiality requirements for purposes of UPP 2.5(g).¹⁰⁵

2.143 The ALRC decided that it is unnecessary to add a requirement that agencies or organisations providing ADR must be “authorised”, in the sense of being accredited through existing accreditation systems,¹⁰⁶ or through an accreditation system to be established specifically for purposes of the Privacy Act. It considers ADR to be “dynamic and diverse” and concluded that, provided confidentiality safeguards are in place, such diversity should be accommodated.¹⁰⁷

2.144 The Commission agrees with the ALRC’s view that ADR has become an essential element in the resolution of disputes in Australian society. ADR processes have become integrated with the judicial system, for example, through the power of courts to refer proceedings before it for mediation,¹⁰⁸ or through commercial arbitration legislation that confers power on courts that are supportive of the administration of the arbitration process.¹⁰⁹

2.145 In NSW, it is government policy for agencies to attempt, where possible, to settle disputes by using ADR techniques rather than by resorting to the court system.¹¹⁰

2.146 ADR processes have also become a common feature in resolving disputes involving private industries. For example, banks, credit unions, building societies and other entities that provide financial services to retail clients are required by law to be members of a dispute resolution scheme approved the Australian Securities and Investments Commission¹¹¹ and this has resulted in the establishment and regulation of industry-funded ADR schemes,¹¹² which are intended to provide accessible justice for consumers.

2.147 An essential component of ADR techniques is the ability of parties to freely and candidly narrate their side of the dispute, which may involve giving sensitive information about themselves and others who may be involved with the dispute. The Commission supports UPP 2.5(g) since it would promote the free flow of information among parties to an ADR process and enable the ADR provider to receive sensitive information that may be required for the effective resolution of the dispute. The confidentiality requirements that are usually an essential aspect of the ADR processes and which are required for the operation of UPP 2.5(g) provide sufficient protection for any sensitive information collected in that context.

1. See para 2.81.

2. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) (“ALRC Report 108”) vol 1 Recommendation 21-5.

3. ALRC Report 108 vol 1 [21.76].

4. ALRC Report 108 vol 1 [21.75].

5. ALRC Report 108 vol 1 [21.74].

6. Australian Law Reform Commission, Review of Australian Privacy Law, Discussion Paper No 72 (2007) Proposal 18-3 (“ALRC DP 72”).

7. ALRC Report 108 vol 1 [21.72].

8. ALRC DP 72 Proposal 18-3.

9. ALRC Report 108 vol 1 [21.77].

10. Health Records and Information Privacy Act 2002 (NSW) sch 1, HPP 1.

11. UPP 9.1(c).

12. UPP 2.4(a), UPP 2.3, UPP 2.5(f)(ii), UPP 5.1(g)(i), UPP 6.2(d), UPP 9.5.

13. UPP 2.6, UPP 3, UPP 4.2, UPP 7, UPP 8.1, UPP 9.3, UPP 9.6, UPP 9.7(b).

14. UPP 9.1.

15. ALRC Report 108 vol 1 [21.83].

16. HPP 1(2) states that an organisation must not collect health information by any unlawful means. HPP 2(b) provides that an organisation that collects health information from an individual must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates: see Health Records and Information Privacy Act 2008 (NSW) sch 1.

17. ALRC Report 108 vol 1 Recommendation 21-1.

18. ALRC Report 108 vol 1 [21.31].

19. ALRC Report 108 vol 1 [21.32].

20. ALRC Report 108 vol 1 Recommendation 21-2.

21. The NSW Privacy Commissioner has issued guidelines pursuant to HPP 3(2). The guidelines provide some examples of when it may be unreasonable or impracticable to collect health information directly from the person concerned, including, among others: (a) where a person is admitted unconscious to an emergency ward; (b) where a person lacks the capacity to provide his or her health information; and (c) in the course of taking the family, social or medical history of a patient, if this is relevant to providing the health service to the patient: Office of the NSW Privacy Commissioner, Handbook to Health Privacy (2004) 21-22.

22. NSW Law Reform Commission, Privacy Legislation in New South Wales Consultation Paper No 3 (2008) (“NSWLRC CP 3”) Proposal 8.

23. Australian Privacy Foundation, Submission, 8; Cyberspace Law and Policy Centre, Submission, 20.

24. NSW Department of Community Services, Submission, 5-6; NSW Department of Ageing, Disability and Home Care, Submission, 2.

25. Inner City Legal Centre, Submission, 13-14.

26. Public Interest Advocacy Centre, Submission, 20.

27. Minister for Housing, Submission, 2.

28. For a general discussion on guidance pursuant to the Privacy Act, see ALRC Report 108 vol 1 [47.25]-[47.36].

29. ALRC Report 108 vol 1 [47.36].

30. See, for example, para 2.129-2.130.

31. See ALRC Report 108 vol 1 Ch 18. See also para 0.5-0.9.

32. See Health Records and Information Protection Act s 7 (an individual is incapable of doing an act authorised, permitted or required by this Act if the individual is incapable [despite the provision of reasonable assistance by another person] by reason of age, injury, illness, physical or mental impairment of: (a) understanding the general nature and effect of the act, or (b) communicating the individual’s intentions with respect to the act).

33. See ALRC Report 108 vol 1 [21.38].

34. ALRC Report 108 vol 1 Recommendation 21-3.

35. ALRC Report 108 vol 1 [21.55].

36. ALRC Report 108 vol 1 [21.55].

37. ALRC Report 108 vol 1 [21.56].

38. ALRC Report 108 vol 1 [21.47].

39. ALRC Report 108 vol 1 [21.54].

40. ALRC Report 108 vol 1 Recommendation 21-4.

41. Health Records and Information Privacy Act 2002 (NSW) s 10.

42. See A Johnston, PPIPA in Practice: An Annotated Guide to the Privacy and Personal Information Protection Act 1998 (NSW), [28].

43. KD wrote a letter to the NSW Health Minister complaining about a doctor who performed surgery on KD. The Minister forwarded KD’s letter to the Health Care Complaints Commission, which in turn referred KD’s letter to the NSW Medical Board. In the course of dealing with KD’s complaint against the doctor, the Board provided the doctor with documents that KD had given to the Board, including copies of correspondence and a Medicare claims history statement.

44. KD v Registrar, NSW Medical Board [2004] NSWADT 5 [28]. Compare OA v New South Wales Department of Housing [2005] NSWADT 233; OA v New South Wales Department of Housing (No 2) [2006] NSWADT 94, discussed below.

45. KD v Registrar, New South Wales Medical Board [2004] NSWADT 5 [28].

46. Compare OA v New South Wales Department of Housing [2005] NSWADT 233 and AW v Vice Chancellor, University of Newcastle [2008] NSWADT 86, where the Tribunal applied s 17 to personal information that was not actively solicited by the relevant agencies.

47. KD v Registrar, NSW Medical Board [2004] NSWADT 5 [29].

48. Section 18 (1) provides that a public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless: (a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or (b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or (c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

49. OA v New South Wales Department of Housing [2005] NSWADT 233; OA v New South Wales Department of Housing (No 2) [2006] NSWADT 94.

50. OA v New South Wales Department of Housing [2005] NSWADT 233 [45].

51. OA v New South Wales Department of Housing [2005] NSWADT 233 [47]; OA v New South Wales Department of Housing (No 2) [2006] NSWADT 94 [21]-[26].

52. OA v New South Wales Department of Housing [2005] NSWADT 233 [50].

53. OA v New South Wales Department of Housing [2005] NSWADT 233 [42]; OA v New South Wales Department of Housing (No 2) [2006] NSWADT 94 [17]-[20].

54. AW v Vice Chancellor, University of Newcastle [2008] NSWADT 86.

55. AW v Vice Chancellor, University of Newcastle [2008] NSWADT 86 [28] citing MT v Department of Education and Training [2004] NSWADT 194.

56. AW v Vice Chancellor, University of Newcastle [2008] NSWADT 86 [29].

57. NSWLRC CP 3 Issue 23.

58. Public Interest Advocacy Centre, Submission, 15; Australian Privacy Foundation, Submission, 9.

59. Public Interest Advocacy Centre, Submission, 15.

60. The Law Society of NSW, Submission, 8; HIV/AIDS Legal Centre, Submission, 11; Cyberspace Law and Policy Centre, Submission, 14-15.

61. HIV/AIDS Legal Centre, Submission, 11.

62. ALRC Report 108 vol 1 [21.55].

63. See para 3.24-3.28.

64. Disclosure of sensitive information is dealt with in para 5.48-5.54.

65. ALRC Report 108 vol 1 Recommendation 22-1.

66. ALRC Report 108 vol 1 [22.19]-[22.21].

67. ALRC Report 108 vol 1 [22.22]-[22.23].

68. See para 5.10.

69. See para 6.13.

70. ALRC Report 108 vol 1 [22.65].

71. ALRC Report 108 vol 1 [22.22]-[22.23].

72. Office of the Privacy Commissioner, Guidelines on Privacy in the Private Health Sector (2001) A.5.3.

73. ALRC Report No 108 (2008) vol 1 Recommendation 19-1.

74. ALRC Report 108 vol 1 [22.70].

75. ALRC Report 108 vol 1 [22.31].

76. ALRC Report 108 vol 1 [22.32].

77. ALRC Report 108 vol 1 [22.48].

78. ALRC Report 108 vol 1 [22.49].

79. See Public Health Act 1991 (NSW).

80. ALRC Report 108 vol 1 [22.67], emphasis added.

81. ALRC Report 108 vol 1 [22.71].

82. ALRC Report 108 vol 1 [22.72].

83. Privacy Act 1988 (Cth) sch 3 NPP 10.5.

84. ALRC Report 108 vol 1 [22.72].

85. A third purpose covered by NPP 10.3 is the management, funding, or monitoring of a health service.

86. ALRC Report 108 vol 3 [65.40].

87. ALRC Report 108 vol 3 [65.94].

88. ALRC Report 108 vol 3 [65.95]-[65.96].

89. ALRC Report 108 vol 3 [65.81].

90. ALRC Report 108 vol 3 Recommendation 65-4.

91. ALRC Report 108 vol 3 [65.157].

92. The OPC informed the ALRC that it is not aware of rules established by competent health or medical bodies that would fulfil the requirements of NPP 10.3: ALRC Report 108 vol 3 [65.157].

93. ALRC Report 108 vol 3 [65.5]-[65.6].

94. ALRC Report 108 vol 3 [65.19].

95. Privacy Act 1988 (Cth) s 72.

96. ALRC Report 108 vol 3 [65.17].

97. ALRC Report 108 vol 3 [65.160].

98. ALRC Report 108 vol 1 Recommendation 6-1.

99. ALRC Report 108 vol 3 [65.163].

100. ALRC Report 108 vol 2 [44.23]-[44.24].

101. ALRC Report 108 vol 2 [44.6].

102. ALRC Report 108 vol 2 [44.25].

103. ALRC Report 108 vol 2 Recommendation 44-1. The aspect of this recommendation relating to the use and disclosure principle is discussed in Chapter 5.

104. ALRC Report 108 vol 2 [44.29]-[44.30].

105. ALRC Report 108 vol 2 [44.31].

106. For example, see para 2.146 and accompanying notes.

107. ALRC Report 108 vol 2 [44.33].

108. See, for example, Uniform Procedure Act 2005 (NSW) pt 4.

109. Commercial Arbitration Act 1984 (NSW).

110. NSW Department of Premier and Cabinet Memorandum No 97-26 (1997). See also the Model Litigant Policy (2004) (it declares that the State and its agencies must act as a model litigant in the conduct of litigation, which means, among other things, using ADR whenever possible). For a recent NSW government initiative to promote the greater use of ADR, see NSW Attorney General’s Department, ADR Blueprint: Framework for the Delivery of Alternative Dispute Resolution (ADR) Services in NSW (2009).

111. Corporations Act 2001 (Cth) s 912(2)(b).

112. Examples of ASIC-approved dispute resolution schemes include the Banking and Financial Services Ombudsman, the Credit Union Dispute Resolution Centre, and the Financial Co-operative Dispute Resolution Scheme.