3. UPP 3: Notification

Updates and background for this project (Digest)

• Introduction
• A separate principle
• Nature and timing
• Exemptions
• Collection of personal information from a third party
• Content of notification

3.1 This chapter examines the obligations of agencies and organisations to take steps to ensure that individuals are aware of certain matters when their personal information is being, or has been, collected. The Commission follows the lead of the ALRC in referring to these obligations as relating to “notification”, even though notification is only one way of achieving awareness.¹

3.2 In particular, the chapter analyses UPP 3, which the ALRC recommended as the reform model for the notification principle of the privacy legislation of each of the Australian jurisdictions. UPP 3 provides:

UPP 3. Notification

At or before the time (or, if that is not practicable, as soon as practicable after) an agency or organisation collects personal information about an individual from the individual or from someone other than the individual, it must take such steps, if any, as are reasonable in the circumstances to notify the individual, or otherwise ensure that the individual is aware of, the:

(a) fact and circumstances of collection, where the individual may not be aware that his or her personal information has been collected;

(b) identity and contact details of the agency or organisation;

(c) rights of access to, and correction of, personal information provided by these principles;

(d) purposes for which the information is collected;

(e) main consequences of not providing the information;

(f) actual or types of organisations, agencies, entities or other persons to whom the agency or organisation usually discloses personal information of the kind collected;

(g) fact that the avenues of complaint available to the individual if he or she has a complaint about the collection or handling of his or her personal information are set out in the agency’s or organisation’s Privacy Policy; and

(h) fact, where applicable, that the collection is required or authorised by or under law.

• whether the notification requirements should be contained in a separate privacy principle;
• the nature and timing of, and exemptions from compliance with, the notification requirements; and
• the matters that should be brought to an individual’s awareness when his or her personal information is collected.

3.4 At the moment, the requirements relating to notification under the Privacy Act are located in Principle 2 and NPP 1.3. Both of these principles deal with the collection of personal information.

3.5 The ALRC in Report 108 recommended that:

The model Unified Privacy Principles should contain a principle called ‘Notification’ that sets out the requirements on agencies and organisations to notify individuals or otherwise ensure they are aware of particular matters relating to the collection and handling of personal information about the individual.²

3.7 In NSW, the notification requirements are also found in principles relating to collection, namely:

• s 10 of PPIPA;⁴ and
• HPP 4 of HRIPA.

NATURE AND TIMING

3.9 At the Commonwealth level, agencies are required by Principle 2 to take such steps as are, in the circumstances, reasonable to ensure that an individual is aware of specified matters before it collects personal information or, if that is not practicable, as soon as practicable after the information is collected.⁵

3.10 Similarly, organisations are obligated by NPP 1.3 to take reasonable steps at or before the time of collection or, if that is not practicable, as soon as practicable after collection, to ensure that the individual concerned is aware of certain matters.⁶

Notification as a means of ensuring awareness

3.11 Principle 2 and NPP 1.3 do not refer specifically to an obligation to notify. The obligation under these principles is to take steps to ensure that an individual is aware of specified matters. The issue that arises is whether the notification principle should also refer to an obligation to notify as a means of ensuring awareness.

3.12 The ALRC recommended that the notification principle should expressly refer to notification as a means of ensuring that an individual is aware of specified matters relating to the collection of his or her personal information.⁷

3.13 It emphasised, however, that agencies and organisations should be able to rely on means other than notification to ensure that an individual is aware of specified matters. It observed that to require notification in every case would increase unnecessarily the compliance costs and may overload individuals with information of which they are already aware.⁸

3.14 It said that, as an example, a collecting agency or organisation could make inquiries or otherwise satisfy itself that an individual has been made aware of the specified matters by the agency or organisation which disclosed the information to it.⁹

3.15 Further, it said that it might be legitimate in some situations for agencies and organisations to alert the individual to specific sections of its Privacy Policy or other general documents as a means of ensuring that individuals are aware of the specified matters subject of the notification principle.¹⁰

3.16 In NSW, s 10 of PPIPA and HPP 4 are worded similarly to their counterpart Commonwealth principles in that they refer to an obligation to take reasonable steps to ensure that the individual whose personal information has been collected has been made aware of specified matters. They do not expressly refer to notification as a means of ensuring awareness.

3.17 The Commission is of the view that entities that collect personal information can comply with the obligation under s 10 of PPIPA and HPP 4 (as well as under Principle 2 and NPP 1.3) by giving notice to the individual concerned, for example, by written correspondence. They can also comply with the obligation through mechanisms other than a formal notice. For example, where personal information is collected through an online order form, the information that the agency is required to give to the individual under the notification principle can be displayed in the vicinity of the “submit” button that the individual clicks to send his or her personal information. Alternatively, where the agency’s Privacy Policy contains the specified matters required under the notification principle and the Privacy Policy is displayed prominently in the agency’s website, the individual may be required to acknowledge, prior to clicking the “submit” button, that he or she has read the Privacy Policy.¹¹

3.18 Although the Commission is of the view that the current provisions under both NSW and Commonwealth law already cover notification as a means of ensuring awareness of those matters that are the subject of the notification obligations, it nevertheless supports the ALRC recommendation. The provision in UPP 3 that those who collect personal information “must take such steps, if any, as are reasonable in the circumstances to notify the individual, or otherwise ensure that the individual is aware of” certain matters clarifies that there may be several means of ensuring awareness and that notification is one of them.

Timing

3.19 In terms of timing, Principle 2 requires agencies to comply with the obligation before the collection of the personal information or, if that is not practicable, as soon as possible after the collection.¹² NPP 1.3 covers both time frames but also allows organisations to comply with the obligation at the time of the collection.¹³

3.20 The ALRC recommended that the timeframe for compliance with the requirements under the notification principle should be standardised pursuant to the aim of achieving uniform privacy principles for agencies and organisations. It used NPP 1.3 as its template for this purpose. Consequently, it recommended that the obligations under UPP 3 should be complied with before or at the time an agency or organisation collects personal information or, if that is not practicable, as soon as practicable thereafter.¹⁴

3.21 In NSW, s 10 of PPIPA identifies two timeframes for compliance: before the information is collected, or as soon as practicable after collection. Unlike UPP 3, it does not mention compliance at the time of collection, although this is implied. More importantly, compliance after collection under s 10 is not subject to the condition found in UPP 3 that compliance before or at the time of collection is not practicable.

3.22 In contrast to s 10, HPP 4 already reflects the timeframes specified in UPP 3.

3.23 The Commission supports the timeframes found in UPP 3. The wording in UPP 3 that compliance be “[a]t or before the time (or, if that is not practicable, as soon as practicable after)” of the collection of personal information is better than the provision in s 10 of PPIPA since it specifies the intent that agencies and organisations must endeavour to comply with the notification requirements before, or at, the time of collecting personal information, if this is practicable under the circumstances. It is crucial that collectors of personal information comply with the notification requirements at the earliest possible time to enable the individual concerned to make informed decisions about his or his personal information. However, UPP 3 also recognises that this may not be practicable in every situation.¹⁵

Reasonable steps include no steps

3.24 Currently, Principle 2 requires agencies to “take such steps (if any) as are, in the circumstances, reasonable” to ensure that the individual concerned is generally aware of specified matters. The phrase “if any” indicates that it might be reasonable for agencies to take no steps to provide notice under certain circumstances.

3.25 The phrase “if any” is absent in NPP 1.3, which requires organisations to “take reasonable steps to ensure that the individual is aware” of certain specified matters. As a consequence, the ALRC believes that there is uncertainty over whether organisations are able to determine that, in certain circumstances, it would be reasonable to take no steps.

3.26 The ALRC recommended that the UPP 3 should provide expressly that an agency or organisation is obliged to take “such steps, if any, as are reasonable in the circumstances” to notify or otherwise ensure that an individual is aware of specified matters.¹⁶

3.27 The ALRC said that this addresses the confusion caused by the use of the phrase “must take reasonable steps” in NPP 1.3, which, in its view, implies that organisations must always take some active steps to comply with the notification obligations. The ALRC asserted that “in certain circumstances, logic dictates that it would be reasonable for no steps to be taken”. The ALRC bolstered its recommendation with the observation that it is consistent with Principle 2 and the privacy legislation of New Zealand.¹⁷

3.28 In addition to its recommendation for legislative clarification, the ALRC recommended that the Office of the Federal Privacy Commissioner (“OPC”) develop and publish guidance on specific circumstances when it would be reasonable for no steps to be taken to notify individuals about the collection of their personal information. The ALRC recommended that the OPC guidance should specifically address areas identified by the submissions as needing clarification, as well as areas recognised in other jurisdictions as being appropriately excluded from the coverage of the obligation to take reasonable steps. These include when:

• notification would prejudice the purpose of collection, for example, when it would prejudice:
  • the prevention, detection, investigation and prosecution of offences;
  • legal action for breaches of a law imposing a penalty or seriously improper conduct;
  • the enforcement of laws; or
  • the protection of the public revenue;
• collection of personal information is required or authorised by or under law for statistical or research purposes;
• the personal information is collected from an individual on repeated occasions;
• an individual has been made aware of the relevant matters by the agency or organisation which disclosed the information to the collecting agency or organisation;
• non-compliance with the principle is authorised by the individual concerned;
• non-compliance with the principle is required or authorised by or under law;
• notification would pose a serious threat to the life or health of any individual; and
• health services collect family, social or medical histories.¹⁸

3.30 The Commission supports the recommendation of the ALRC that UPP 3 should provide that an agency or organisation is obliged to take “such steps, if any, as are reasonable in the circumstances” to notify or otherwise ensure that an individual is aware of specified matters. The recommended wording of UPP 3 clarifies that the obligation embodied in the notification principle is not absolute since there will be situations where entities that collect personal information would be justified in not notifying or ensuring the awareness by an individual of the matters listed in the principle. This recommendation, in tandem with the ALRC recommendation that the OPC issue guidance on specific circumstances when it would be reasonable for no steps to be taken to notify individuals about the collection of their personal information, effectively provides the basis for exemptions from compliance with the notification principle.

EXEMPTIONS

3.31 The ALRC examined whether the notification principle should spell out the circumstances in which an agency or organisation will not be required to comply with the principle.

3.32 In relation to this issue, the ALRC, in its DP 72, made several proposals, namely that:

• agencies that collect personal information — whether directly from an individual or from someone other than the individual — should not be required to comply with the notification requirements if they are required or specifically authorised by or under law not to make the individual aware of one or more of the matters to be notified;¹⁹
• agencies and organisations that collect personal information — whether directly from an individual or from someone other than the individual — should be required to comply with the notification requirements only in circumstances where a reasonable person would expect to be notified; and²⁰
• agencies and organisations that collect personal information — whether directly from an individual or from someone other than the individual — should be required to comply with the notification requirements except to the extent that making the individual aware of the specified matters would pose a serious threat to the life or health of any individual.²¹

3.34 In Report 108, the ALRC decided against incorporating in the notification principle specific circumstances in which an agency or organisation will not be required to comply. It reasoned that to do so would effectively incorporate detailed and prescriptive rules on the application of the principle, which would be inconsistent with the high-level principles approach it has adopted. Further, it argued that the provision for a limited number of exceptions to the principle might create a legitimate expectation that other circumstances will also be made the subject of an exception. The ALRC said that this “is likely to result in a proliferation of legislative exceptions, fundamentally at odds with a principles-based approach”.²³

3.35 Instead of recommending legislative exceptions to the notification principle, the ALRC highlighted its recommendation that the OPC develop and publish guidance on the types of circumstances in which it may be reasonable for an agency or organisation to take no steps to notify individuals about the collection of their personal information.²⁴

The law in NSW

3.36 In NSW, s 10 of PPIPA itself does not contain exemptions. However, various other sections of PPIPA (which are located in its Division titled “Specific exemptions from principles”) provide exemptions from compliance with s 10, including where:

• the personal information concerned is collected for law enforcement purposes (whether or not the agency collecting the information is a law enforcement agency);²⁵
• compliance by an investigative agency with s 10 might detrimentally affect (or prevent the proper exercise of) the agency’s complaint handling functions or any of its investigative functions;²⁶
• the agency that collects the information is the Ombudsman’s Office;²⁷
• the agency is lawfully authorised or required not to comply with the principle concerned;²⁸ and
• non-compliance with s 10 is permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).²⁹

(4) An organisation is not required to comply with a requirement of this clause if:

(a) the individual to whom the information relates has expressly consented to the organisation not complying with it, or

(b) the organisation is lawfully authorised or required not to comply with it, or

(c) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998), or

(d) compliance by the organisation would, in the circumstances, prejudice the interests of the individual to whom the information relates, or

(e) the information concerned is collected for law enforcement purposes, or

(f) the organisation is an investigative agency and compliance might detrimentally affect (or prevent the proper exercise of) its complaint handling functions or any of its investigative functions.

3.38 The issue at hand is whether the notification principle should spell out exemptions from compliance with its provisions or whether such exemptions should be located elsewhere.

3.39 The ALRC has adopted a high-level principles approach in crafting the UPPs, which has the advantage of greater flexibility and adaptability. High-level privacy principles can more readily accommodate unforeseen circumstances and new technologies.³⁰ Such approach means minimising the inclusion of detailed and prescriptive rules in the privacy principles. In line with this approach, the ALRC has taken the view that UPP 3 should not spell out the specific circumstances in which an agency or organisation will not be required to comply. Instead, the exemptions would be addressed through its recommendation that the OPC issue guidance on specific circumstances when it would be reasonable for no steps to be taken to notify individuals about the collection of their personal information.

3.40 In the Introduction to this Report, the Commission recorded its general agreement with the ALRC’s view that principles-based regulation, which is complemented by specific rules in delegated legislation, should be the primary method for regulating information privacy in Australia.³¹ Consistent with this approach, the Commission supports the ALRC’s decision not to include specific exemptions in UPP 3. Should this principle be adopted in NSW, the current exemptions found in s 10 of PPIPA and HPP 4 will need to be relocated in delegated legislation such as regulations or, as recommended by the ALRC, in guidelines issued by the Privacy Commissioner.

3.41 The ALRC identified some of the circumstances that would potentially be exempted from the notification principle under the OPC guidelines and some of them reflect the exemptions found in s 10 of PPIPA and HPP 4, including where:

• the collection of personal information is for law enforcement and investigative purposes;
• the collection of personal information is required or authorised by or under law;
• non-compliance with the principle is required or authorised by or under law;
• non-compliance with the principle is authorised by the individual concerned; or
• compliance with the notification principle would pose a serious threat to the life or health of any individual.

• the personal information is collected from an individual on repeated occasions; or
• an individual has been made aware of the relevant matters by the agency which disclosed the information to the collecting agency.

COLLECTION OF PERSONAL INFORMATION FROM A THIRD PARTY

3.44 There is currently a lack of consistency under the Privacy Act as to whether the notification obligations apply where the personal information is collected from someone other than the person to whom the information relates.

3.45 Principle 2 requires agencies to ensure that individuals are aware of specified matters relating to the collection of their personal information only where they collect the information from the individual concerned.

3.46 In contrast, NPP 1.3 requires organisations to ensure that individuals are aware of specified matters relating to the collection of their personal information, regardless of whether the information is collected directly from the individual or from someone other than the individual. Where an organisation collects information about an individual from someone else, the organisation may be exempted from the notification obligations to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.³²

3.47 In Report 108, the ALRC recommended that agencies and organisations should be subject to an obligation to notify an individual of, or otherwise ensure an individual’s awareness of, specified matters relating to the collection of his or her personal information, regardless of whether that information is collected directly from the individual or from someone other than the individual.³³

3.48 The ALRC noted that this obligation already applies to organisations. It emphasised the point that under UPP 3, agencies and organisations may under certain circumstances have to assess whether it will be reasonable, in exercising any of their functions, not to take any steps to notify individuals about the collection of their personal information.³⁴

3.49 Moreover, it recommended that the OPC develop and publish guidance on the specific circumstances where it would not be reasonable to provide notification where personal information has been collected from a third party, including where:

• the collection of personal information is required or authorised by or under law for statistical or research purposes;
• notification would pose a serious risk to the life or health of any individual; or
• health services collect family, social or medical histories.³⁵

3.50 In NSW, s 10 of PPIPA provides that “[i]f a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that … the individual to whom the information relates is made aware of” certain matters. By its terms, s 10 does not apply where the agency collects personal information from a person other than the person to whom the information relates.

3.51 This has been confirmed in HW v Director of Public Prosecutions (No 2),³⁶ where the Administrative Decisions Tribunal held that s 10 only applies where an agency “collects personal information from an individual” to whom the information relates, not in relation to personal information from any individual. The Tribunal stated that:

One of the purposes of section 10 is to enable an individual to be fully informed of the relevant factors before deciding whether to provide the information to the agency. This would not be a relevant consideration if the information is collected from a third party, and the individual to whom the information relates is separately informed of the collection.³⁷

Submissions

3.53 In CP 3, we proposed that s 10 of PPIPA be amended to stipulate that its requirements apply whether the information is collected directly from the individual to whom the information relates or indirectly from someone else. We also queried whether s 10 should be amended to adopt the wording of HPP 4 or UPP 3, or some combination of the two.³⁸

3.54 A number of submissions supported the idea that the notification requirements should apply whether the personal information is collected directly from the individual to whom the information relates or indirectly from someone else.³⁹ The Australian Privacy Foundation and the Cyberspace Law and Policy Centre preferred the approach proposed in UPP 3.⁴⁰

3.55 The Inner City Legal Centre also supported the proposal and said that the protections contained in s 10 of PPIPA would be significantly undermined if they did not apply to personal information that is indirectly collected. Further, it said that an individual would be “at a significant disadvantage in terms of correcting inaccuracies or complaining about misuse or disclosure of personal information if these fundamental principles do not apply to indirect collection”.⁴¹

3.56 The NSW Department of Corrective Services was the only agency that opposed the proposal, arguing that it is impractical.⁴²

The Commission’s conclusion

3.57 The NSW privacy legislation should incorporate the provisions of UPP 3 relating to the obligation of entities that collect personal information to notify an individual of, or otherwise ensure an individual’s awareness of, specified matters relating to the collection of his or her personal information, regardless of whether that information is collected directly from the individual or from someone other than the individual.

3.58 The Commission agrees with the statement of the Administrative Decisions Tribunal in HW v Director of Public Prosecutions (No 2) that one of the functions of the notification requirements is to enable an individual to be fully informed of the relevant factors before deciding whether to provide the information to the agency. However, the Commission considers that the notification requirements perform other functions, including informing those whose personal information has been collected the legal basis and purpose of the collection; their rights to access and, if appropriate, their rights to correct the information; and the availability of avenues of complaints. These matters are relevant not only to individuals who provide the information themselves but also to those whose personal information was given to an agency by a third party. It is arguable, for example, that the chances that the information may not be accurate, complete or up-to-date are higher where the information was provided by a third party than where the information was given directly by the person to whom the information relates. The individual whose personal information was collected from a third party should therefore be able to examine its quality and accuracy and request its correction, if appropriate.

3.59 There are, of course, situations where an agency collects information from a third party and it would not be appropriate to notify the individual concerned about the collection, for example, in criminal investigations. UPP 3 provides for such situations by allowing agencies to determine whether it will be reasonable in the circumstances not to take any steps to notify individuals about the collection of their personal information.

CONTENT OF NOTIFICATION

3.60 This section examines each of the items in UPP 3 that are the subject of the notification principle.

The fact and circumstances of collection

3.61 The Principles and NPPs under the Privacy Act do not require an agency or organisation to notify an individual that it has collected, or is about to collect, personal information about that individual.

3.62 The ALRC recommended that:

Agencies and organisations should be required to notify or otherwise ensure that an individual is aware of the fact and circumstances of the collection of his or her personal information where the individual may not be aware of such collection. Circumstances of collection may include how and when the information was collected.⁴³

3.64 The ALRC said that it is important for individuals to know the fact and circumstances of the collection of their personal information to enable them to exercise any rights relating to that information, for example, those relating to access and correction. It added that such a requirement promotes transparency in the collection practices of agencies and organisations.⁴⁵

3.65 The ALRC decided that where it is clear that an individual is aware that his or her personal information has been collected — for example, where an individual voluntarily provides the personal information — the collector of the information need not notify the individual about the fact and circumstances of the collection. The ALRC asserted that, if the individual is already aware of the collection, it would be superfluous to notify him or her of such collection. Further, it said that “the provision of such information could detract the individual’s attention from other important information relating to the collection, required to be provided by the agency or organisation, of which he or she is not aware”. Finally, the ALRC agreed with the argument in some of the submissions it received that imposing an obligation on agencies and organisations that is arguably unnecessary would not be cost effective since it would increase compliance costs but deliver very little additional privacy protection.⁴⁶

3.66 In NSW, s 10(a) of PPIPA provides that “the fact that the information is being collected” should be among the matters that agencies should ensure that the individual concerned is made aware. This provision is different from UPP 3(a) in two respects. First, it covers the fact, but not the circumstances, of the collection. Secondly, it is not confined to situations “where the individual may not be aware that his or her personal information has been collected”.

3.67 In contrast to s 10(a) and UPP 3(a), HPP 4 does not contain an equivalent provision.

3.68 The Commission supports the ALRC’s recommendation. A requirement similar to the one in s 10(a) that the individual concerned should be made aware of the fact that his or her personal information has been collected is largely superfluous since the privacy notice (or other means of achieving awareness of the collection) that is to be provided to such individual would necessarily imply this fact. When being notified about the identity and contact details of the collector; the purpose and legal basis of the collection; that he or she may request access to and (if appropriate) correction of the information; and that there are avenues for complaint relating to the collection and handling of personal information — the individual would inevitably become aware that his or her personal information is being, or has been, collected. The usefulness of the information about the fact of collection lies mainly in providing a premise for the other matters that are subject of the notification principle.

3.69 In comparison, the additional requirement in UPP 3(a) that the individual be informed about the circumstances of the collection is of greater significance. This is because it would allow the individual to assess whether the collector has complied with requirements relating to collection, in particular UPP 2.2, which requires the collector to “collect personal information only by lawful and fair means and not in an unreasonably intrusive way”. Hence, by covering both the fact and circumstances of collection, UPP 3(a) is an improvement on the requirement found in s 10(a) of PPIPA.

3.70 The Commission agrees, in principle, with the qualification in UPP 3(a) that agencies and organisations should be required to notify an individual, or otherwise ensure that an individual is aware, of the fact and circumstances of the collection of his or her personal information only where the individual may not be aware of such collection. We agree with the ALRC’s argument that, where the individual is already aware of the collection, it may be redundant to notify him or her of such collection. It must, however, be acknowledged that it will not always be certain whether the individual concerned is, in fact, aware that his or her personal information has been collected. In the Commission’s view, the safe approach is for agencies and organisations to take steps, as a matter of course, to ensure that the individual is notified, or made aware of the fact and circumstances, of the collection of his or her information. It is doubtful whether the provision of such information would necessarily involve unreasonable costs to the agency or organisation.

Collector’s identity, individual’s rights, and consequences of not providing information

3.71 NPP 1.3 contains obligations relating to notification of: (a) the collector’s identity, (b) an individual’s rights relating to access, and (c) the main consequences of not providing the information. The Principles do not impose any of these obligations on agencies. The ALRC recommended that such obligations should also apply to agencies.

Collector’s identity and contact details

3.72 The ALRC recommended that agencies and organisations should have an obligation to inform individuals of the identity and contact details of the agency or organisation that collected the personal information. It reasoned that individuals should know whom to contact in order to exercise any rights that they may have relating to their personal information, and the means by which contact can be made.⁴⁷

3.73 The recommended obligation is currently already reflected in s 10(f) of PPIPA and HPP 4(a). There are no policy reasons why this specific obligation should be abolished in NSW. The provision of information about the identity and contact details of the entity that collects the personal information is fundamental to the ability of individuals to take measures to protect, or otherwise to make decisions about, their personal information.

Access and correction rights

3.74 The ALRC recommended that the notification principle include an obligation to inform individuals about their rights under the UPPs to access, and correct, their personal information. It said that awareness of such rights is essential to encouraging individuals to exercise those rights to ensure the accuracy of their personal information. Further, it said that this particular notification obligation complements the ‘Data Quality’ Principle, which obliges collectors of personal information to make sure that the information they collect is accurate, complete, up-to-date and relevant.⁴⁸

3.75 This recommendation is already reflected in s 10 of PPIPA.⁴⁹ In comparison, HPP 4 lists “the fact that the individual is able to request access to the information”⁵⁰ but does not mention the fact that the individual can also request correction of the information.

3.76 The Commission supports this recommendation for the reasons given by the ALRC. Should it be adopted in NSW, the recommendation would improve the notification principle as it relates to health information, since individuals whose health information is collected would need to be informed that they are able not just to access but also to correct such information, in case it is inaccurate, incomplete or out-of-date.

Consequences of not providing information

3.77 The ALRC said that individuals should be entitled to know the main consequences of not providing their personal information, for example, that it may result in the individual not being able to access a service or benefit.⁵¹ Accordingly, UPP 3(e) provides that the notification obligations should include information about the “main consequences of not providing the information”.

3.78 Section 10 of PIPPA and HPP 4 both contain the substance of this recommendation but their wording is more precise than that found in UPP 3.

• Section 10(d) contains the words: “any consequences for the individual if the information (or any part of it) is not provided”.
• HPP 4(c) states: “the main consequences (if any) for the individual if all or part of the information is not provided”.

RECOMMENDATION 4

UPP 3(e) should be modified in the following way:

UPP 3. Notification

At or before the time (or, if that is not practicable, as soon as practicable after) an agency or organisation collects personal information about an individual from the individual or from someone other than the individual, it must take such steps, if any, as are reasonable in the circumstances to notify the individual, or otherwise ensure that the individual is aware of, the:

…

(e) main consequences (if any) of not providing all or part of the information.

3.80 Principle 2(c) and NPP 1.3(c) require agencies and organisations to ensure that an individual is aware of the purposes for which his or her personal information is collected.

3.81 The ALRC recommended that this obligation should continue to be included in the UPPs, simply stating that there is no policy reason to amend or remove it.⁵²

3.82 Some of the submissions it received expressed concern about compliance with this obligation in circumstances where there are several purposes. The ALRC said that, if the collector of the information knows at the time of collection that it intends to use the information for other purposes related to the main purpose of collection, it should make the individual aware of these related purposes. The ALRC noted that this issue is already the subject of guidance from the OPC.⁵³

3.83 In NSW, both s 10 of PPIPA and HPP 4 require agencies and organisations to ensure that an individual is aware of the purposes for which his or her personal information is collected.⁵⁴

3.84 The Commission supports the ALRC’s recommendation to maintain the obligation to inform individuals of the purposes for which their personal information is collected. Under the purpose specification principle, which is one of the core principles of data protection under the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,⁵⁵ collection of personal data or information must be for specified purposes and the subsequent use is limited to the fulfilment of those purposes or such others as are not incompatible with those purposes. The recommendation under consideration is one of the means of implementing this core principle.⁵⁶ The information about the purposes of the collection enables the individuals concerned to take measures to protect their personal information, including withholding it if they do not agree with the specified purposes, or making a complaint if the information is used for purposes other than the specified purposes.

Entities to which information is usually disclosed

3.85 Principle 2(e) requires agencies to ensure that an individual whose personal information has been collected is generally aware of:

any person to whom, or any body or agency to which, it is the collector’s usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first-mentioned person, body or agency to pass on that information.

the organisations (or the types of organisations) to which the organisation usually discloses information of that kind.

actual or types of organisations, agencies, entities or other persons to whom the agency or organisation usually discloses personal information of the kind collected.

3.89 UPP 3(h) also clarifies that agencies and organisations are required to inform individuals of the actual, as well as types of, entities to which they disclose personal information. The ALRC observed that this is consistent with current guidance from the OPC, which allows general descriptions of sets of people and organisations (for example, “State Government licensing authorities” and “State police forces”).⁵⁸

3.90 The ALRC commented that the specificity of the information needed to comply with this requirement would depend on the particular circumstances. It said that there is “a need to strike a balance between providing useful and digestible information to an individual and ensuring that the costs and compliance burden in meeting the obligation are not unduly onerous”. It recommended that the OPC develop and publish guidance on the appropriate level of specificity when notifying individuals about the entities to which personal information of the kind is usually disclosed.⁵⁹

3.91 In NSW, HPP 4(d) refers to “the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind”. This provision is very similar to UPP 3(h). In relation to personal information other than health information, s 10(c) of PPIPA, which refers to “the intended recipients of the information”, appears to be the comparable provision.

3.92 The Commission supports the ALRC recommendation. It would be onerous and, in many cases, impractical to require entities that collect personal information to inform individuals to whom the information will actually be disclosed since this may not be known at the time of notification. It is more pragmatic to require the collecting entity to ensure the awareness of individuals concerned about the actual and types of entities to whom the agency or organisation usually discloses personal information of the kind collected. Such information, together with the other matters that are subject of the notification principle, should be sufficient to assist individuals in taking measures to safeguard their personal information if they deem it necessary or desirable in the circumstances. It should also be noted that, as indicated above, the ALRC’s recommendation is already reflected in the NSW requirements relating to health information.

Avenues of complaint

3.93 The Principles and NPPs do not currently require an agency or organisation to notify an individual whose personal information is being, or has been, collected of the avenues of complaint if he or she has a privacy complaint.

3.94 The ALRC, in its examination of the openness principle, recommended that each agency and organisation should produce a written and publicly available Privacy Policy that sets out its policies on how it manages the personal information it collects. The avenues of complaint available to individuals in the event that they have a privacy complaint are among the matters that the ALRC recommended for inclusion in the Privacy Policy.⁶⁰

3.95 In addition, the ALRC considered it important that, at or about the time personal information is collected, the individual concerned be notified, or otherwise made aware, of the fact that there are avenues of complaint available in the event that they have a privacy complaint. It said that this would promote accountability and transparency, and help create a regulatory environment where individuals are aware that they may take steps to protect their personal information.⁶¹

3.96 The ALRC, however, considered it unnecessary for an individual to be notified or made aware of the actual avenues of complaint at the time of the collection of his or her personal information. It said that this notice should be located more appropriately in the Privacy Policy of the agency or organisation.⁶² The ALRC was concerned about putting any unnecessary detail in privacy notices.⁶³ Consequently, it recommended that the fact that there are avenues of complaint available to individuals, and that these are set out in the agency’s or organisation’s Privacy Policy, should be among the subject matters for notification.⁶⁴

3.97 There is currently no provision in the relevant NSW statutes that is the equivalent of the ALRC recommendation.

3.98 The Commission is strongly in favour of informing individuals whose personal information is collected that there are avenues for complaint with respect to the collection or handling of the information. It also agrees with the ALRC’s view that it is important to minimise the danger of overloading individuals with too much information in the privacy notices since this can impinge on their capacity and willingness to process and retain such information. It is sufficient for the collector of information to inform individuals at the notification stage about the availability of avenues of complaint and to refer them to its Privacy Policy, which will have details of the avenues of complaint.⁶⁵

Information required or authorised by or under law

3.99 Both the Principles and NPPs contain a notification requirement about the legal basis of the collection of personal information. However, the relevant Principle and NPP are worded differently.

3.100 Pursuant to Principle 2(d), agencies are required, where applicable, to ensure that individuals whose personal information has been collected are aware of “the fact that collection of information is authorised or required by or under law”.

3.101 NPP 1.3(e), on the other hand, requires organisations to ensure that individuals whose personal information has been collected are aware of “any law that requires the particular information to be collected”.

3.102 The OPC’s guidance on Principle 2(d) states:

An IPP 2 notice should refer to each provision of legislation which:
• requires an agency to collect the personal information; or
• specifically authorises an agency to collect the information.
If legislation does not refer to a specific power, but only gives the agency a general function which includes collecting personal information, the IPP 2 notice should still refer to the legislation.⁶⁶

In describing the law the organisation need not specify the exact piece of legislation (although it would be desirable to do so where possible). A statement like ‘taxation law requires us to collect this’ would ordinarily be adequate.⁶⁷

3.105 It said that the wording of Principle 2(d) is of particular relevance to the many agencies that have coercive information-gathering powers. Consequently, it concluded that, from a practical point of view, it is appropriate to use Principle 2(d) as the template for drafting this particular obligation. UPP 3(h) therefore requires agencies and organisations to notify an individual, or otherwise ensure that an individual is aware, of the “fact, where applicable, that the collection is required or authorised by or under law”.

3.106 The ALRC also recommended that the OPC develop and publish guidance as to what would be required of organisations as a result of the recommended redrafting of the obligation as it applies to them.⁶⁹

3.107 In NSW, the relevant provisions refer to the law that requires the collection.

• Section 10(d) of PPIPA uses these words: “whether the supply of the information by the individual is required by law”.
• HPP 4(d) states: “any law that requires the particular information to be collected”.

1. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) (“ALRC Report 108”) vol 1 [23.1].

2. ALRC Report 108 vol 1 Recommendation 23-1.

3. ALRC Report 108 vol 1 [23.13].

4. For illustration of an application of this section, see SW v Forests NSW [2006] NSWADT 74 (one of employees of Forests NSW took photographs of SW at a work-related function and did not take reasonable steps to ensure SW was aware that her photographs were being taken and the purpose for this).

5. Privacy Act 1988 (Cth) s 14 Principle 2.

6. Privacy Act 1988 (Cth) sch 3 NPP 1.3.

7. ALRC Report 108 vol 1 [23.27], Recommendation 23-2.

8. ALRC Report 108 vol 1 [23.28].

9. ALRC Report 108 vol 1 [23.29].

10. ALRC Report 108 vol 1 [23.30]. The ALRC recommended that the OPC develop and publish guidance on the circumstances in which an agency or organisation can comply with specific requirements under the notification principle by alerting an individual to specific sections of its Privacy Policy or other general documents containing the requisite information: ALRC Report 108 vol 1 [23.31], Recommendation 23-3(c).

11. See J Douglas-Stewart, Annotated Privacy Principles (Adelaide, Presidian Legal Publications, 3rd ed, 2007) [2-360].

12. Privacy Act 1988 (Cth) s 14 Principle 2.

13. Privacy Act 1988 (Cth) sch 3 NPP 1.3.

14. ALRC Report 108 vol 1 [23.32], Recommendation 23-2.

15. See ALRC Report 108 vol 1 [23.33]-[23.34].

16. ALRC Report 108 vol 1 [23.48], Recommendation 23-2.

17. ALRC Report 108 vol 1 [23.48]-[23.49].

18. ALRC Report 108 vol 1 [23.50], Recommendation 23.3(a).

19. Australian Law Reform Commission, Review of Australian Privacy Law, Discussion Paper No 72 (2007) (“ALRC DP 72”) Proposals 20-4, 20-5(b)(iii).

20. ALRC DP 72 Proposals 20-2(1), 20-5(b)(i).

21. ALRC DP 72 Proposals 20-2(2), 20-5(b)(ii).

22. ALRC Report 108 vol 1 [23.67]-[23.68].

23. ALRC Report 108 vol 1 [23.70].

24. ALRC Report 108 vol 1 [23.71]-[23.74], Recommendation 23-3. See also para 3.24-3.30.

25. Privacy and Personal Information Protection Act 1998 (NSW) s 23(3). However, this subsection does not remove any protection provided by any other law in relation to the rights of accused persons or persons suspected of having committed an offence.

26. Privacy and Personal Information Protection Act 1998 (NSW) s 24(1).

27. Privacy and Personal Information Protection Act 1998 (NSW) s 24(6).

28. Privacy and Personal Information Protection Act 1998 (NSW) s 25(a).

29. Privacy and Personal Information Protection Act 1998 (NSW) s 25(b).

30. See ALRC Report 108 vol 1 Ch 18.

31. Para 0.5-0.9.

32. Privacy Act 1988 (Cth) sch 3, NPP 1.3, 1.5.

33. ALRC Report 108 vol 1 [23.90], Recommendation 23-2.

34. ALRC Report 108 vol 1 [23.91].

35. ALRC Report 108 vol 1 [23.92], Recommendation 23.3(a).

36. HW v The Director of Public Prosecutions (No 2) [2004] NSWADT 73.

37. HW v The Director of Public Prosecutions (No 2) [2004] NSWADT 73 [23].

38. NSW Law Reform Commission, Privacy Legislation in New South Wales, Consultation Paper No 3 (2008) Proposal 10, Issue 33.

39. Australian Privacy Foundation, Submission, 8; Cyberspace Law and Policy Centre, Submission, 21; Inner City Legal Centre, Submission, 15.

40. Australian Privacy Foundation, Submission, 8; Cyberspace Law and Policy Centre, Submission, 21.

41. Inner City Legal Centre, Submission, 15.

42. NSW Department of Corrective Services, Submission, 2.

43. ALRC Report 108 vol 1 [23.108] emphasis added.

44. ALRC Report 108 vol 1 [23.104]-[23.105], [23.109].

45. ALRC Report 108 vol 1 [23.109].

46. ALRC Report 108 vol 1 [23.110].

47. ALRC Report 108 vol 1 [23.120].

48. ALRC Report 108 vol 1 [23.121].

49. Privacy and Personal Information Protection Act 1998 (NSW) s 10 (e).

50. Health Records and Information Privacy Act 2002 (NSW) sch 1 HPP 4(b).

51. ALRC Report 108 vol 1 [23.122].

52. ALRC Report 108 vol 1 [23.129].

53. ALRC Report 108 vol 1 [23.130].

54. Privacy and Personal Information Protection Act 1998 (NSW) s 10(a); Health Records and Information Privacy Act 2002 (NSW) sch 1 HPP 4(1)(c).

55. Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) Guideline 9. The preamble to the Privacy Act 1988 (Cth) states that Australia is a member of the OECD; that the Council of the OECD has recommended that member countries take into account in their domestic legislation the privacy principles set out in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980); and that Australia has expressed its intention to participate in the recommendation. See also United Nations, Guidelines Concerning Computerized Personal Data Files (1990) Principle 3.

56. See also Chapters 2 (Collection) and 5 (Use and Disclosure) of this Report.

57. ALRC Report 108 vol 1 [23.144].

58. ALRC Report 108 vol 1 [23.143].

59. ALRC Report 108 vol 1 [23.145]-[23.146].

60. ALRC Report 108 vol 1 Recommendation 24-1.

61. ALRC Report 108 vol 1 [23.153].

62. ALRC Report 108 vol 1 [23.154].

63. ALRC Report 108 vol 1 [23.152].

64. ALRC Report 108 vol 1 [23.154].

65. See para 4.15-4.20.

66. Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1–3: Advice to Agencies about Collecting Personal Information (1994) 17.

67. Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001) 31.

68. ALRC Report 108 vol 1 [23.158].

69. ALRC Report 108 vol 1 [23.161].