4. UPP 4: Openness
Updates and background for this project (Digest)
4.1 The principle of “openness” is concerned with the transparency of the information-handling practices of agencies. That is, it focuses on the ability of the public, specifically those whose personal information has been collected by an agency, to know what the agency’s practices are in relation to information collection and handling. How open is the agency in revealing to the public how it collects personal information and what does it do with it?
ALRC REPORT 108
Model Unified Privacy Principle 4
4.2 In its Report 108, the ALRC noted that both the Principles and the NPPs set out in the Privacy Act1 already contain openness requirements,2 though not an overarching principle. The openness requirements are contained in Principle 5 and NPP 5.
4.3 Principle 5 addresses both openness and notification requirements. Principle 5.1 provides that a record-keeper in possession or control of records containing personal information must take reasonable steps to enable any person to find out whether such records are held in relation to him or herself and, if so:
- the nature of the information;
- the main purposes for which it is used; and
- how to go about obtaining access to the records.3
4.4 This obligation is not limited to where the person has made a request, unlike the comparable obligation in NPP 5. The record-keeper must keep a register of all records of personal information detailing:
- the nature of the records;
- the purpose for which each is kept;
- the classes of individuals about whom records are kept;
- how long each record is kept;
- who can have access and under what conditions; and
- how access can be gained.4
This register must be available for inspection by the public and a copy must be given to the Office of the Federal Privacy Commissioner (“OPC”) annually.5
4.5 NPP 5 provides that an organisation must have a document that clearly sets out its personal information management policies, and that this must be made available to anyone who asks for it.6 This is a more generally expressed obligation than the one in Principle 5, which, as noted above, prescribes specific matters that must be included in the register of records. NPP 5 further provides that anyone who asks what sort of personal information the organisation holds, and for what purposes, and how the organisation collects, holds, uses and discloses that information, must be told.7
4.6 The ALRC concluded that principles addressing openness and notification requirements8 should not be bundled into one.9 It recommended that the UPPs contain a discrete openness principle, unequivocally identified by being styled “Openness”,10 addressing the need for an agency or organisation to operate openly and transparently.11
4.7 The recommended openness principle, UPP 4, requires that an agency or organisation put in place:
a Privacy Policy that sets out clearly its expressed policies on the management of personal information, including how it collects, holds, uses and discloses personal information. This document should also outline the:
(a) sort of personal information the agency or organisation holds;
(b) purposes for which personal information is held;
(c) avenues of complaint available to individuals in the event that they have a privacy complaint;
(d) steps individuals may take to gain access to personal information about them held by the agency or organisation; and
(e) whether personal information is likely to be transferred outside Australia and the countries to which such information is likely to be transferred.12
4.8 UPP 4 further provides that:
4.9 The ALRC also recommended that the OPC “encourage and assist agencies and organisations to make available short form privacy notices summarising their personal information-handling practices”,14 and that these be “seen as supplementing the more detailed information that is required to be made available to individuals under the Privacy Act”.15
The rationale behind Recommendation 24-1
A discrete principle
4.10 First, the ALRC was of the view that it was “not appropriate to deal with requirements relating to openness and notification in the same principle because of their important conceptual differences”.16 On the one hand, openness provisions benefit the public at large by enabling anyone at all to discover what an organisation’s general practices and policies are for the handling of personal information. On the other hand, “notification requirements” refer to an organisation’s obligation to notify a particular individual that the organisation plans to collect, or has collected, personal information about him or her, and make that individual aware of certain matters relating to the use and handling of his or her personal information. The requirement is for the exclusive benefit of the individual whose personal information is being collected.17
4.11 The ALRC also took into account submissions to its DP 72.18 For example, the ALRC took note of the Public Interest Advocacy Centre’s view that a discrete principle would “serve to highlight the importance of this principle as a mechanism for ensuring open and transparent handling of personal information by agencies and organisations”.19 In addition, Privacy NSW put forward a compelling argument that an openness principle would not only “increase the transparency of organisations’ and agencies’ dealings with regard to … personal information”, but would also “assist in identifying and remedying compliance issues”.20
4.12 The ALRC concluded that a separate openness principle would promote “best practice in the handling of personal information”21 by enabling the OPC, and any other regulatory office or body, to examine privacy policies published in compliance with the openness UPP. An agency’s or organisation’s compliance with the Privacy Act could be monitored, and changes to practices and policies recommended as needed.22
Formulation of the principle
4.13 The ALRC noted that Principle 5 and NPP 5 set out different regulatory mechanisms, the former being quite specific and the latter being more general.23 As observed in paragraph 4.3, the obligations on an agency under Principle 5 are to enable anyone to find out certain specified matters about the records of personal information it keeps, and to maintain a record, available for public inspection, setting out a number of specified matters relating to the agency’s handling of personal information. This record must be given annually to the OPC, which uses it to create the Personal Information Digest.24
4.14 In comparison, the obligations on an organisation under NPP 5 are to set out in a document, made available for public inspection, the organisation’s policies on its management of personal information. A person who asks must be told, generally, what sort of personal information the organisation holds and for what purposes, and how it collects, holds, uses and discloses that information.
4.15 The ALRC examined the two contrasting mechanisms for achieving openness to determine the best model. It concluded that a general approach to regulating openness was to be preferred and proposed that:
the ‘Openness’ principle should set out the requirements on an agency or organisation to operate openly and transparently by providing general notification in a Privacy Policy of how it manages, collects, holds, uses and discloses personal information.25
The proposal was widely supported26 and incorporated in Recommendation 24-1.
4.16 Recommendation 24-1 abandons the Personal Information Digest required to be kept pursuant to IPP 5. This was in response to criticism that the mechanism was not operating successfully, was of limited utility and that the information could be disseminated better in other ways.27 The ALRC concluded that the purpose of the Personal Information Digest could be achieved more effectively by each agency and organisation producing a written, publicly available, Privacy Policy. Eliminating the need to provide the OPC with records for the Personal Information Digest would also ease the compliance burden on agencies.28
4.17 The advantages of a Privacy Policy, in which an agency or organisation documents how personal information is to be collected, held, used and disclosed, include the following:
- The agency or organisation will by necessity focus on how the UPPs apply to its activities, and will structure its operation so as to comply with the UPPs.29
- Accountability is promoted because the actual practices of the agency or organisation can be compared against the affirmed practices set out in the Privacy Policy.
- Transparency of the information-handling practices of particular agencies and organisations is increased.
- Individuals can make more informed choices about whether they wish to transact with particular agencies or organisations.
4.18 The matters that Recommendation 24-1 suggest should be contained in a Privacy Policy are less prescriptive than Principle 5 but more specific than NPP 5. It was felt that NPP 5 was too vague about what it required of organisations. Furthermore, the different purposes of an openness principle and a notification principle need to be considered and an appropriate balance struck between them. As the ALRC observed “[a]n assessment of the content of one principle cannot be made without reference to the other”.30 As a notification principle is, as it arguably should be, relatively prescriptive, an openness principle should therefore be less so.31
4.19 The recommended UPP brings clarity to the openness obligations, but achieves a level of specificity that is in keeping with its purpose. Privacy Policies that end up being long and complex as a result of trying to comply with a prescriptive openness principle run the risk of overwhelming the customer and going unread.
4.20 The ALRC also concluded that it was appropriate to include in a Privacy Policy general information about the steps individuals may take to access and correct personal information, even though this is a matter dealt with in the notification principle. The former notifies members of the public of their rights; the latter instructs the individual “the process by which that right can be exercised”.32 One “complements, but does not duplicate,” the other.33 Likewise, notifying the public in the Privacy Policy what avenues of complaint are available to individuals “complements, but does not duplicate,” the inclusion of this matter in the notification principle.34 However, in keeping with the high-level focus of the openness principle, the details of information to be provided about complaints-handling mechanisms should be a matter for guidelines, not the principle itself.35
Discussion Paper 72
4.21 In DP 72, the ALRC had proposed that, in addition to the matters set out in (a)-(d) of Recommendation 24-1, three further matters should be addressed in a Privacy Policy. These were:
- the types of individuals about whom records are kept;
- the period for which each type of record is kept; and
- the person, other than the individual, who can access personal information and the conditions under which they can access it.36
The inclusion of these additional matters was not supported in submissions to DP 72 and the ALRC abandoned them in the final recommendation.
4.22 Information about the types of individuals about whom records are kept, and access to personal information by persons other than the individual, were thought to be unnecessary, as this information can be gleaned from the agency’s or organisation’s purposes for handling personal information.37 It can also be ascertained from a general description of the agency’s or organisation’s disclosure practices set out in its Privacy Policy, and from information provided in compliance with the notification principle.38
4.23 It was also decided that having to provide details in a Privacy Policy about retention periods for each type of record containing personal information might be too costly and burdensome.39
4.24 The ALRC’s final recommendation included a matter not originally proposed in DP 72. This was “whether personal information is likely to be transferred outside Australia and the countries to which such information is likely to be transferred”.40 This was included in response to concerns expressed to the ALRC about agencies and organisations sending personal information overseas.41
NSWLRC’S CONSULTATION PAPER 3
4.25 There is no direct equivalent of UPP 4 in the IPPs contained in PPIPA nor in the HPPs contained in HRIPA, requiring the creation of a Privacy Policy. The closest equivalent principles are s 13 of PPIPA (IPP 6) and HPP 6.
4.26 IPP 6, “Information about personal information held by agencies”, provides:
A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
(a) whether the agency holds personal information, and
(b) whether the agency holds personal information relating to that person, and
(c) if the agency holds personal information relating to that person:
(i) the nature of that information, and
(ii) the main purposes for which the information is used, and
(iii) that person’s entitlement to gain access to the information.
4.27 HPP 6 applies to health information in identical terms but allows an exception to compliance with the provision if non-compliance is lawfully authorised or required, or otherwise permitted under an Act or any other law.42 This exception is not present in IPP 6.
4.28 There is a fundamental difference between the proposed UPP 4 on the one hand and IPP 6 and HPP 6 on the other hand that gives these principles different roles and emphases. Pursuant to UPP 4, an agency or organisation informs the public at large of its information management policies and practices. Anyone at all can access the Privacy Policy to learn about how the agency or organisation collects, holds, uses and discloses personal information, the sort of personal information held and for what purpose, how to make a complaint, how to access information, and policies on overseas transfer of information.
4.29 In contrast, IPP 6 and HPP 6 make limited information available, to an individual who requests it, about whether it holds personal information generally and whether it holds personal information specifically in relation to that individual. It is only if there is information relating to that individual that he or she then has a right to ask what is the nature of that information, the main purposes for which it is used, and his or her entitlement to gain access. There is nothing in IPP 6 or HPP 6 that compels public disclosure of an agency’s or organisation’s information privacy policies and practices.
4.30 No issue was raised in relation to either IPP 6 or HPP 6 in CP 3 as both principles were seen by the Commission as effectively fulfilling their functions. No submissions raised the desirability of introducing a privacy principle, operating separately from IPP 6 and HPP 6, fulfilling a different, more general, role.
CONCLUSION
4.31 It is clear, then, that IPP 6 and HPP 6 do not perform the same function as UPP 4 and that there is no other equivalent principle in the State legislation.
4.32 PPIPA allows for the making of privacy codes of practice by public sector agencies43 but they are rarely framed in terms akin to a Privacy Policy. The closest example is the Privacy Code of Practice for the NSW Public Sector Workplace Profile 2004. It sets out the management arrangements for the Profile, such as who has responsibility for managing and administering the Profile, and who can access information. It states what provisions, or types of information, are exempt from PPIPA; sets out the information that is to be covered by the Code; states the purpose of collection and to what use the information will be put; describes how the IPPs will apply and where they will vary; provides for what access an employee can have to his or her information, and what authorised officers, other agencies or authorities can have access; and addresses storage, transmission and alteration of information. In the main, however, privacy codes are formulated by an agency for the sole purpose of modifying or waiving the application of the IPPs to that agency. They contain no statement of the principle of openness, statement of policies, or statement of intention to operate openly and transparently.
4.33 The Commission supports the concept and formulation of UPP 4, and its adoption into NSW privacy legislation, for the following reasons.
4.34 The threshold reason to have an openness principle at all is to promote a culture of trust and reliability between the public, whose personal information is collected, used, stored and shared, and the agency who must handle that information in order to perform its function. The Commission fully supports transparency and openness in an agency’s information-handling practices and policies, and supports the public’s right to ascertain readily information regarding those practices and policies.
4.35 The Commission agrees with the ALRC that it is not appropriate merely to incorporate a principle of openness into the notification principle. The focus and role of each is quite different and should be distinguished from each other by being expressed in separate principles. As the ALRC noted, and as is explained more fully above, openness provisions benefit the public at large, whereas “notification requirements” are for the exclusive benefit of the individual whose personal information is being collected.
4.36 Furthermore, the Commission agrees with the identified advantages of a Privacy Policy and is of the view that this approach would work equally well for State agencies. We also agree with the balance struck between the prescriptiveness of Principle 5 and the generality of NPP 5.
4.37 As explained in the Introduction, the Commission supports national uniformity, where possible, in privacy laws. In striving for uniformity, the Commission sees no justification for departing from the detail of UPP 4 in formulating a NSW openness principle.
4.38 The Commission is of the view that an openness principle, in the form of UPP 4, should apply to both personal information and health information. There is no need for a separate health principle to be formulated addressing openness.
FOOTNOTES
1. The Principles are set out in s 14 of the Privacy Act 1988 (Cth) and the NPPs are set out in Schedule 3 to the Act.
2. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) (“ALRC Report 108”) vol 1 [24.2].
3. Unless the record-keeper is required or authorised under a Commonwealth law regulating access to documents to refuse to give out the information: UPP 5.2.
4. Principle 5.3.
5. Principle 5.4.
6. NPP 5.1
7. NPP 5.2
8. See ALRC Report 108 vol 1 UPP 3.
9. ALRC Report 108 vol 1 [24.9]-[24.12].
10. ALRC Report 108 vol 1 [24.913].
11. ALRC Report 108 vol 1 Recommendation 24-1, UPP 4. The notification principle is UPP 3, discussed in Chapter 3.
12. ALRC Report 108 vol 1 UPP 4.1, Recommendation 24-1.
13. ALRC Report 108 vol 1 UPP 4.2, Recommendation 24-1.
14. ALRC Report 108 vol 1 Recommendation 24-3.
15. ALRC Report 108 vol 1 Recommendation 24-3.
16. ALRC Report 108 vol 1 [24.10].
17. ALRC Report 108 vol 1 [24.10]-[24.11].
18. Australian Law Reform Commission, Review of Australian Privacy Law Discussion Paper 72 (2007) (“ALRC DP 72”).
19. Public Interest Advocacy Centre, Submission PR 548, 26 December 2007, cited in ALRC Report 108 vol 1 [24.8].
20. Privacy NSW, Submission PR 468, 14 December 2007 cited in ALRC Report 108, vol 1 [24.7].
21. ALRC Report 108 vol 1 [24.12].
22. ALRC Report 108 vol 1 [24.12].
23. ALRC Report 108 vol 1 [24.14]. See para 4.3-4.5 where these mechanisms are set out.
24. This is the record of personal information required to be maintained by a federal government agency pursuant to s 14 of the Privacy Act 1988 (Cth), Principle 5, and provided to the Privacy Commissioner annually.
25. ALRC DP 72 Proposal 21–1.
26. See ALRC Report 108 vol 1 [24.18].
27. ALRC Report 108 vol 1 [24.16].
28. ALRC Report 108 vol 1 [24.21], [24.25].
29. ALRC Report 108 vol 1 [24.22].
30. ALRC Report 108 vol 1 [24.48].
31. ALRC Report 108 vol 1 [24.48]-[24.49].
32. ALRC Report 108 vol 1 [24.51].
33. ALRC Report 108 vol 1 [24.51].
34. ALRC Report 108 vol 1 [24.52].
35. ALRC Report 108 vol 1 [24.54].
36. ALRC DP 72 Proposal 21-2.
37. ALRC Report 108 vol 1 [24.57].
38. ALRC Report 108 vol 1 [24.57].
39. ALRC Report 108 vol 1 [24.58].
40. ALRC Report 108 vol 1 Recommendation 24-1 (e).
41. The ALRC conducted a National Privacy Phone-in, which logged a large number of calls expressing concern about this matter: ALRC Report 108 vol 2 [31.232].
42. Health Records and Information Privacy Act 2002 (NSW) sch 1, cl 6(2).
43. Privacy and Personal Information Protection Act 1998 (NSW) Part 3 of Division 1.
