7. UPP 7: Data quality

Updates and background for this project (Digest)

• ALRC Report 108
• Privacy legislation in NSW: Consultation Paper 3
• The Commission’s conclusions

Accuracy of data in the credit reporting environment is one of the most important consumer issues when analysing potential consumer harm. The consequences of inaccurate credit reporting information are significant.¹

7.2 Ensuring that an agency or organisation does not collect, use or disclose information without first taking reasonable steps to check that the information is accurate, complete and up to date is the core of the principle on data quality. In this chapter, the Commission analyses the model data quality principle recommended by the ALRC in Report 108 and explores its suitability in the NSW context.

ALRC REPORT 108

Model Unified Privacy Principle 7

7.3 In Report 108, the ALRC recommended that the model UPPs should contain a principle called ‘Data Quality’ that requires an agency or organisation to take reasonable steps to ensure that the personal information it handles is of an appropriately high quality.² The ALRC believed that a single principle containing comprehensive data quality requirements would promote greater consistency, and increase public confidence, in the handling of personal information by agencies and organisations.

7.4 UPP 7 provides:

An agency or organisation must take reasonable steps to make certain that the personal information it collects, uses or discloses is, with reference to the purpose of that collection, use or disclosure, accurate, complete, up-to-date and relevant.

The rationale behind Recommendation 27-1

Current Commonwealth law

7.6 In Report 108, the ALRC noted that ensuring the quality of the personal information that an agency or organisation collects, uses and discloses is one of the fundamental obligations of federal privacy laws.⁴ To this end, the Privacy Act 1988 (Cth) contains a number of provisions intended to ensure that agencies and organisations take whatever steps are reasonable to check that the personal information they handle is accurate, up to date, complete and (in respect of agencies only) relevant.⁵

7.7 The current NPPs, which regulate how personal information is handled in private sector organisations, contain a specific principle dealing with data quality. NPP 3 provides that:

An organisation must take reasonable steps to make sure that the personal information that it collects, uses or discloses is accurate, complete and up-to-date.⁶

7.9 While there is no “stand-alone” data quality principle applying to public sector agencies in the Privacy Act 1988 (Cth),⁹ features of data quality are present in a number of the Principles.¹⁰ Principle 3 provides that an agency must take reasonable steps to ensure that the information it asks for is: relevant for the purpose for which it is collected; up to date; and complete.¹¹ Principle 7 provides that an agency should take whatever steps as are reasonable to ensure that the personal information in its records is relevant, up to date, complete, accurate, and not misleading.¹² In addition, Principle 8 provides that an agency should not use the personal information in its records without taking reasonable steps to ensure that it is accurate, up to date and complete.¹³

7.10 The ALRC considered it anomalous that private sector organisations, but not public sector agencies, were subject to a discrete data quality principle, and, in its earlier discussion paper, proposed that a single data quality principle should apply to both public sector agencies and private organisations.¹⁴

Scope of existing data quality requirements

7.11 In formulating the model data quality principle, the ALRC took into consideration the scope of the existing requirements applying to private sector organisations and public sector agencies. The ALRC found that these differ in a number of ways. For example, while NPP 3 imposes data quality obligations at the time of collection, use and disclosure of personal information, Principles 3 and 8 impose data quality requirements only when the information is collected and used, not disclosed.¹⁵

7.12 There are also varying requirements relating to information outside the possession or control of the agency or organisation. Under NPP 3, an organisation must ensure that information it “collects, uses or discloses” is of a sufficiently high quality. Principle 8, on the other hand, applies more broadly to documents in an agency’s “possession or control”. Consequently, both the agency that outsources the handling of personal information to another agency, and the agency that merely holds the personal information on behalf of someone else, must comply with the data quality requirements.¹⁶

7.13 Another difference is the express requirement on public sector agencies that the information collected is relevant for the purpose for which it was collected.¹⁷ Principle 9 similarly requires that personal information be used only for “relevant purposes”.¹⁸ In contrast, there is no equivalent requirement of “relevance” in the NPPs.¹⁹

7.14 The way the data quality criteria are to be applied was also found to differ.²⁰ Agencies are required to interpret the information they collect having regard “to the purpose for which the information was collected”²¹ and “to the purpose for which the information is proposed to be used”.²² There is no comparable requirement in any of the NPPs.

Discussion Paper 72

7.15 In DP 72, the ALRC proposed that there be one common principle applicable to both the public and private sector. Merging features of the existing data quality requirements, the ALRC proposed that an agency or organisation should be required:

to take reasonable steps to make sure that personal information it collects, uses or discloses is, with reference to a purpose of collection permitted by the proposed UPPs, accurate, complete, up-to-date and relevant.²³

7.16 A single discrete principle. The majority of submissions received by the ALRC in response to DP 72 supported the proposed data quality principle,²⁴ and in particular, agreed that a single discrete data quality principle should apply equally to public sector agencies and private sector organisations.²⁵ It was agreed that a single principle would remove the present confusion caused by the different standards applicable to agencies and organisations, and would promote greater consistency, and thereby increase public confidence, in the handling of personal information by agencies and organisations.

7.17 The ALRC rejected a suggestion that the data quality and data security principles²⁶ be merged into one so that agencies and organisations would need to have reference only to the one principle dealing with the quality and security of record keeping.²⁷ The ALRC was of the view that the two were quite distinct and warranted separate principles.

7.18 Possession or control. The ALRC considered that the data quality requirements should only apply to information that an agency or organisation “collects, uses or discloses”. It concluded that extending the data quality requirements to information in an agency’s possession or control would place an onerous, and often unreasonable, burden on agencies that merely hold personal information on behalf of someone else.²⁸

7.19 Relevance. As proposed in DP 72, UPP 7 contains the added requirement that the information collected by an agency or organisation should be relevant for the purpose for which it is collected, used or disclosed.

7.20 Although there was broad support for adding the criterion of relevance to the data quality principle, a number of submissions were opposed to the proposal. One argument was that it was superfluous in light of the collection principle, which requires that an agency or organisation only collect information that is necessary for its purpose or function.²⁹ Another was that it would prevent agencies and organisations from collecting personal information the relevance of which may only become apparent some time after collection.³⁰

7.21 The ALRC rejected both arguments. Rather than being inconsistent with, or redundant because of, the collection principle, the ALRC considered that requiring information to be relevant to the purpose for which it is collected, used or disclosed would complement the collection principle.³¹ It also considered it appropriate to require an agency or organisation to use or disclose only that portion of the information it holds as is relevant to that particular use or disclosure.³²

7.22 On the second point, the ALRC said that an agency or organisation that collected information that was unnecessary for one or more of its functions would be in breach of the collection principle. It was, therefore, appropriate that retaining such information should also put the agency or organisation in breach of the data quality requirements. In any case, the ALRC noted that Principle 3 already contained a relevance requirement; it was merely extending the obligation to private sector organisations.³³

7.23 Measuring data quality. What standard of quality will discharge the obligations under UPP 7? In DP 72, the ALRC had originally proposed that the data quality principle be interpreted having regard to “a purpose of collection permitted by the proposed UPPs”.³⁴ However, as submitted by the Cyberspace Law and Policy Centre, this standard may not be appropriate or even meaningful where the information is proposed to be used for a different (approved) purpose. Accepting this argument, the ALRC modified its original formulation so that the data quality principle be interpreted “having regard to the purpose for which it is collected, used or disclosed”.³⁵

What are “reasonable steps” to take to ensure data quality?

7.24 What would be considered reasonable for an agency or organisation to do in order to ensure the data quality of the personal information it holds depends very much on the nature of that information and the purpose for which it is intended to be used and disclosed.³⁶ Some information is not likely to require any updating as it is not likely to change, such as a person’s date of birth. Other kinds of personal information, however, do vary, and sometimes with great frequency, such as income and address details. In relation to these, it would therefore be reasonable to expect that an agency would take measures to check the information, probably with the individual concerned, and update the information if required. This would be particularly advisable where the information could be used to a person’s disadvantage.³⁷ According to the Office of the Privacy Commissioner, most of the complaints it receives are about agencies using personal information that they had not first checked for accuracy.³⁸

7.25 The legal obligation to maintain data quality arises only when an agency or organisation collects, uses or discloses the information.³⁹ However, there is a concern that some organisations may interpret their obligations under the data quality principle in a way that could result in unjustifiable intrusions into an individual’s privacy,⁴⁰ for example, by requesting information from a person to update their details when it is not strictly necessary to do so.

7.26 In order to respond to this concern, the ALRC considered whether UPP 7 should contain an express statement that the obligation to check the accuracy of personal information is qualified by the limitation that the organisation must take steps that are “reasonable” in the circumstances.⁴¹ As noted in the ALRC report, similar statements are provided for in OECD guidelines and in Canadian privacy laws.⁴² Principle 4.6.2 of the Personal Information Protection and Electronic Documents Act 2000 (Canada),⁴³ for example, provides:

An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.

7.28 Ultimately, though, the ALRC’s preferred approach was to rely on guidelines issued by the Office of the Privacy Commissioner. These would detail the matters that an agency and organisation would need to consider when deciding what steps would be reasonable for it to take to check the accuracy of data.⁴⁵ The guidelines would undoubtedly build upon those already published by the Privacy Commissioner.⁴⁶ In its current guidelines on the Principles, for example, the Office of the Privacy Commissioner says that agencies that try to collect personal information which is irrelevant or unnecessary are likely to be intruding unreasonably on people’s privacy and could be found in breach of Principles 1 and 3.⁴⁷ In addition, in a recently published Information Sheet⁴⁸ for private organisations, the Office of the Privacy Commissioner notes that:

Using personal information that is inaccurate, incomplete or out-of-date raises compliance and operational risks for businesses, and can result in adverse consequences for individuals.

At the same time, organisations need to take a balanced approach to data accuracy. For example, data accuracy should not involve unnecessary intrusion on an individual’s privacy.⁴⁹

7.29 In formulating the model UPP, the ALRC also gave consideration to its application to information relating to individuals who were deceased, and to decisions made by automated means.

7.30 The ALRC acknowledged that checking information relating to a person who has since died would undoubtedly present challenges for the agency or organisation. It agreed, for example, that the information was likely to become out of date following the death of the individual, and that checking the accuracy of the data would necessarily involve contacting third parties.⁵⁰ Notwithstanding these difficulties, the ALRC recommended that the data quality principle be extended to personal information about deceased individuals. It noted that the obligations under the data quality principle are not overly onerous; they are qualified by the limitation that an agency or organisation need only take “reasonable steps” to ensure the accuracy of information relating to deceased individuals.⁵¹

7.31 Unlike the Commonwealth, NSW privacy law currently extends to the protection of personal information relating to an individual who has been dead for up to 30 years.⁵²

Automated decision-making

7.32 Agencies and organisations are increasingly making use of wholly automated systems for data processing and decision-making. As these decisions can have a significant impact on the lives of people, and because such systems are not foolproof,⁵³ many privacy advocates argue that automated decisions need to be periodically checked manually for accuracy and correctness. They argue that agencies and organisations should be required to perform these manual checks particularly where decisions are made that are detrimental to the individual, such as in loan or credit card applications, or access to welfare benefits.⁵⁴

7.33 The ALRC considered whether reviews of automated decisions should be mandated within UPP 7 or whether it was sufficient to rely on guidelines issued by the Office of the Privacy Commissioner. These guidelines could indicate particular times and circumstances when it is appropriate for agencies and organisations to review automated decisions.⁵⁵

7.34 The ALRC considered it unnecessary to add a further express requirement for a review of automated decisions in UPP 7, believing that the principle was framed broadly enough to achieve those outcomes.⁵⁶ Assistance and information could, instead, be provided to agencies and organisations in the way of guidelines. It noted that material is already available from the Administrative Review Council and the Australian Government Information Management Office in relation to the use of computer decision-making models in the public sector, and that such material could inform the development of guidelines by the Office of the Privacy Commissioner.⁵⁷

PRIVACY LEGISLATION IN NSW: CONSULTATION PAPER 3

Current data quality provisions

7.35 Although there is no discrete data quality principle in NSW privacy law, there are data quality requirements in the IPPs and in the HPPs.

7.36 IPP 4 and HPP 2 are expressed in the same terms. They require an agency or organisation that collects information from an individual to take reasonable steps to ensure that the information is:

• relevant to the purpose for which it is collected;
• not excessive;
• up to date; and
• complete.

7.38 IPP 9 and HPP 9 are also similarly worded. They provide that an agency or organisation that holds information must take reasonable steps to ensure that, before using it, the information is relevant, accurate, up to date, complete and not misleading.⁵⁹

Differences between the NSW provisions and UPP 7

7.39 UPP 7 requires four elements: accuracy, completeness, currency and relevance. IPP 4 and HPP 2 require these four elements but they additionally require that the information is “not excessive”. IPP 9 and HPP 9 also require the same four elements as UPP 7 but contain the added requirement that the information not be “misleading”. These differences are, arguably, semantic.

7.40 The requirement that agencies and organisations collect personal information that is “not excessive”, in the context of IPP 4 and HPP 2, would appear to mean that while the data must be complete, the agency and organisation must only gather information which is relevant to the purpose for which it is being collected. If the requirements for relevance, completeness and currency are satisfied, therefore, it is unlikely that the information collected would be considered excessive, thus suggesting that this requirement is redundant.

7.41 The same may be argued in relation to the requirement that personal information held by an agency or organisation should not be misleading. While it is possible that information that is accurate may nonetheless be misleading if it is either incomplete or irrelevant, the fact that IPPs 4 and 9, and HPPs 2 and 9 require all four elements – accuracy, completeness, currency and relevance – removes the likelihood that the information could be misleading.

7.42 Another difference between the NSW data quality provisions and UPP 7 is the qualification, in NSW law, that an agency or organisation “must not intrude to an unreasonable extent” in the individual’s privacy. The equivalent statement in the model UPPs is contained in the collection principle, specifically UPP 2.2. This provides that “an agency or organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way”.⁶⁰ As the qualification relates to how agencies and organisations collect information, the Commission considers it is appropriate that it be contained in the collection principle rather than the data quality principle.⁶¹

Information collected indirectly from third parties

7.43 One issue raised in CP 3 was whether the notification and data quality requirements of PPIPA, contained in s 10⁶² and 11 respectively, apply to personal information that is not collected directly from the individual to whom the information relates.⁶³ Both of these sections expressly apply where a public sector agency “collects personal information from an individual”. It is not immediately clear whether this phrase means collected directly from the individual about whom the information relates.⁶⁴ This issue and its implications for the notification principle are explored in greater detail earlier in this report.⁶⁵ The Commission’s analysis in relation to the application of the notification principle to information collected indirectly from a third party applies equally in relation to the application of the data quality principle.

7.44 The Administrative Decisions Tribunal has held that s 10 and 11 are limited to personal information collected directly from the individual concerned.⁶⁶ However, there is an argument that the decision of the Tribunal in HW v Director of Public Prosecutions (No 2) may not be correct.⁶⁷ After considering the decision in HW and the opposing view, the Commission concluded, in CP 3, that both the notification and data quality principles (IPPs 3 and 4) ought to apply regardless of whether the information was collected directly from the individual concerned or indirectly from another source.⁶⁸

7.45 We also noted that this is consistent with the approach in HPP 4, which, in subclause (2) refers specifically to the situation where health information about an individual is not collected directly from that person. In those circumstances, the organisation is required to take reasonable steps to ensure that the individual is informed of the collection and made aware of matters equivalent to IPP 3.⁶⁹

7.46 The majority of submissions that addressed this issue supported extending the data quality obligations to information obtained from a third party.⁷⁰ However, the NSW Department of Corrective Services argued that it would be impractical for law enforcement agencies to comply with it, and they should therefore be exempted.⁷¹ The Crown Solicitor’s Office also foresaw compliance issues.⁷²

7.47 The Commission’s proposal in CP 3 that the requirements imposed by IPPs 3 and 4 should apply whether the information is collected directly or indirectly⁷³ is also consistent with UPP 3. This provides that agencies and organisations must notify or otherwise ensure that individuals are made aware of the fact that the information has been collected; and their rights of access to, and correction of the information.⁷⁴ While it is not necessary to identify the source of the third party from whom the information was obtained, notifying the person of the matters in UPP 3 is a way of ensuring that the information is correct and consequently of complying with the data quality requirements. This rationale applies irrespective of whether information is collected directly or indirectly from the individual.⁷⁵

7.48 Chapter 3 outlines the ALRC’s views and recommendations in relation to the entitlement of individuals to be notified of certain specified matters relating to the collection of their personal information regardless of whether that information was obtained directly from the individual or from a third party.⁷⁶ The Commission supports the ALRC’s formulation of UPP 3 and recommends that UPP 3 be adopted in the NSW context.⁷⁷

Unsolicited information

7.49 A similar issue arises in relation to personal information that an agency takes no active steps to collect. The treatment of unsolicited information is discussed in greater detail in Chapter 2. The Commission recommends the adoption of UPP 2.5 which essentially provides that where an agency or organization receives unsolicited information, it must either destroy the information without using or disclosing it, or, if it decides to retain the unsolicited information, comply with all the relevant privacy principles as if it had actively collected the information.⁷⁸ This would include informing the individual concerned that the collection has taken place and checking the accuracy of information obtained from third parties.

THE COMMISSION’S CONCLUSIONS

Should NSW adopt UPP 7?

7.50 The Commission believes that NSW should adopt UPP 7 for a number of reasons. First, it is consistent with our broad policy aim of working, where possible, towards uniform privacy laws, or at the least, nationally consistent privacy laws.⁷⁹ Although there are some semantic differences between UPP 7 and the NSW data requirements, the Commission believes that they are essentially very similar. UPP 7 does not dilute the current obligations on agencies in NSW. There is therefore no justification for departing from our aim to achieve uniformity. Another advantage of adopting UPP 7 is that it will clarify and consolidate into the one discrete principle the slightly different obligations that are presently spread out across four principles in NSW privacy laws. This will assist record-keepers to better understand their obligations, and thus promote greater compliance with privacy laws.

Should there be a separate data quality principle regulating health information?

7.51 The Commission notes that the data quality obligations on record-keepers in relation to the collection and handling of both personal information and health information in NSW are almost identical. UPP 7, as stated above, encapsulates the essence of the current data quality obligations under HRIPA. It is a high level principle equally applicable to the collection and handling of personal information as well as health information. The Commission therefore sees no need for a separate principle regulating data quality of health information.

1. Galexia, “Credit Reporting Regulatory Framework: Submission to the ALRC Privacy Inquiry” (2007) «http://www.galexia.com/public/research/articles/research_articles-sub02.html» at 17 September 2009.

2. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) (“ALRC Report 108”) Recommendation 27-1.

3. This is consistent with the ALRC’s recommendation that a single set of privacy provisions ought generally to apply to both public sector agencies and private organisations, unless there are sound reasons to the contrary: see ALRC Report 108 vol 1 Recommendation 18-2.

4. ALRC Report 108 vol 2 [27.2].

5. Privacy Act 1988 (Cth) s 14 Principle 3(c), Principle 8, sch 3, NPP 3. See also ALRC Report 108 vol 2 [27.2] - [27.3].

6. Privacy Act 1988 (Cth) sch 3, NPP 3.

7. Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 43.

8. See Chapter 9 generally.

9. Privacy Act 1988 (Cth) s 14.

10. ALRC Report 108 vol 2 [27.4]-[27.5].

11. Privacy Act 1988 (Cth) s 14 Principle 3(c).

12. Privacy Act 1988 (Cth) s 14 Principle 7.

13. Privacy Act 1988 (Cth) s 14 Principle 8.

14. ALRC DP 72 Proposal 25-1.

15. ALRC Report 108 vol 2 [27.6].

16. ALRC Report 108 vol 2 [27.11].

17. See Principle 3.

18. Privacy Act 1998 (Cth) s 14, Principle 9. See also para 5.43-5.45.

19. ALRC Report 108 vol 2 [27.12].

20. ALRC Report 108 vol 2 [27.13].

21. Privacy Act 1998 (Cth) s 14, Principle 3.

22. Privacy Act 1998 (Cth) s 14, Principle 8.

23. ALRC DP72 Proposal 25-1.

24. ALRC Report 108 vol 2 [27.15].

25. ALRC Report 108 vol 2 [27.8]

26. The data security principle is discussed in Chapter 8.

27. ALRC Report 108 vol 2 [27.9]

28. ALRC Report 108 vol 2 [27.22]-[27.23].

29. See Chapter 2 generally.

30. ALRC Report 108 vol 2 [27.18]. Law enforcement and consular activities were cited as examples of situations where this may arise.

31. ALRC Report 108 vol 2 [27.24].

32. ALRC Report 108 vol 2 [27.25].

33. ALRC Report 108 vol 2 [27.27].

34. See discussion at ALRC Report 108 vol 2 [27.28].

35. ALRC Report 108 vol 2 [27.19].

36. See Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1 – 3, 24-27; and Commonwealth, Office of the Federal Privacy Commissioner, Private Sector Information Sheet 28 – NPP 3 Data Quality (May 2009), 1.

37. Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1 – 3, 25-27.

38. Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1 – 3, 24.

39. See para 7.7-7.9.

40. Office of the Federal Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 267-8, cited in ALRC Report 108 vol 2 [27.30].

41. ALRC Report 108 vol 2 [27.30]-[27.33].

42. ALRC Report 108 vol 2 [27.31].

43. Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (Canada), Principle 4.6.2.

44. Cyberspace Law and Policy Centre, Submission to the ALRC DP 72, 49. Cyberspace Law and Policy Centre, Submission.

45. ALRC Report 108 vol 2 [27.35].

46. See, for example, Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001).

47. Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1-3 (1994), 28.

48. Information Sheets are advisory only and are not legally binding.

49. Office of the Federal Privacy Commissioner, Private Sector Information Sheet 28 – NPP 3 Data Quality (May 2009), 1.

50. ALRC Report 108 vol 1 [8.78].

51. ALRC Report 108 vol 1 [8.77]-[8.80].

52. Privacy and Personal Information Protection Act 1998 (NSW) 4(3)(a).

53. ALRC Report 108 vol 1 [10.78].

54. ALRC Report 108 vol 1 [10.80]-[10.81].

55. ALRC Report 108 vol 1 [10.79].

56. ALRC Report 108 vol 1 [10.83]-[10.85].

57. ALRC Report 108 vol 1 [10.77]-[10.79].

58. Privacy and Personal Information Protection Act 1998 (NSW) s 11; Health Records and Information Privacy Act 2002 (NSW) sch 1, cl 2.

59. Privacy and Personal Information Protection Act 1998 (NSW) s 16; Health Records and Information Privacy Act 2002 (NSW) sch 1, cl 9.

60. See para 2.4.

61. The Commission recommends that UPP 2.2 be adopted. See discussion at para 2.20-2.24.

62. Section 10 provides that before information is collected from an individual, or as soon after as is practicable, the agency must make the individual to whom the information relates aware of a number of things including: the fact and purpose of the collection, the intended recipients of the information, whether collection is required by law, rights to access and correct the information, and contact details of the collecting and holding agencies. See IPP 3 discussed at para 3.50.

63. NSW Law Reform Commission, Privacy Legislation in New South Wales Consultation Paper No 3 (2008) (“NSWLRC CP 3”) [6.20]. These sections refer to IPPs 4 and 3 respectively.

64. The issue does not arise in relation to the data quality requirements of IPP 9 and HPP 9. These apply to information that an agency “holds”, and therefore clearly extend to personal and health information that the agency handles, regardless of whether it was obtained directly or indirectly, and irrespective of whether the information was actively solicited or not.

65. See discussion at para 3.44-3.59.

66. HW v The Director of Public Prosecutions (No 2) [2004] NSWADT 73.

67. See discussion of the decision in HW v The Director of Public Prosecutions (No 2) at para 3.58.

68. NSWLRC CP 3 Proposal 10. See discussion at [6.23]-[6.25].

69. See Health Records and Information Privacy Act 2002 (NSW) sch 1, cl 4.

70. Australian Privacy Foundation, Submission, whose views were endorsed by the Consumer Credit Legal Centre, Inner City Legal Centre, Submission, Public Interest Advocacy Centre, Submission, Cyberspace Law And Policy Centre, Submission, Office of the Privacy Commissioner, Submission.

71. NSW Department of Corrective Services, Submission.

72. Crown Solicitor’s Office, Advice, [3.17] cited in NSWLRC CP 3 [6.22].

73. NSWLRC CP 3 Proposal 10.

74. See discussion at para 3.1-3.2.

75. ALRC Report 108 vol 2 [23.179].

76. ALRC Report 108 vol 1 [23.90]. See also para 3.44-3.49.

77. See para 3.57.

78. See para 2.78-2.80.

79. See para 0.5-0.9.