List of recommendations

Updates and background for this project (Digest)

UPP 2.1 should be modified as follows:

2.1 An agency or organisation must not collect personal information unless it is reasonably necessary for one or more of its functions or activities.

The legislation containing the UPPs should provide that, subject to express contrary intention, where a matter in the UPPs
• is described, characterised or referred to as reasonable or unreasonable, or
• is required or directed to be carried out or otherwise dealt with reasonably or in a reasonable manner,

the standard to be applied in determining whether the matter is reasonable or unreasonable, or has been carried out or otherwise dealt with reasonably or in a reasonable manner, is what a reasonable person would consider appropriate in the circumstances.

UPP 2.3 should be revised to read as follows:

2.3 An agency or organisation may collect personal information otherwise than directly from the individual to whom the information relates when either:

• the individual has authorised the collection of the information from someone else; or
• collection from the individual is not reasonable or practicable under the circumstances.

UPP 3(e) should be modified in the following way:

UPP 3. Notification

At or before the time (or, if that is not practicable, as soon as practicable after) an agency or organisation collects personal information about an individual from the individual or from someone other than the individual, it must take such steps, if any, as are reasonable in the circumstances to notify the individual, or otherwise ensure that the individual is aware of, the:

…

(e) main consequences (if any) of not providing all or part of the information.

UPP 5.1(a) should be modified in the following way:

5.1 An agency must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection (the secondary purpose) unless:

(a) both of the following apply:


(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; and

(ii) the individual would reasonably expect the agency to use or disclose the information for the secondary purpose and the agency has no reason to believe that the individual would object.

UPP 5.1(d) should be modified in the following way:

the agency or organisation has reason to suspect that unlawful activity or serious misconduct relating to its operations has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities.

“Primary purpose” in UPP 5 should be defined to mean the purpose for which the agency or organisation collected the personal information.

“Sensitive information” should be defined to mean:

(a) information or an opinion about an individual’s:


(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) membership of a professional or trade association, or a trade union; or

(vii) sexual preferences or practices; or

(viii) criminal history, including criminal record;

that is also personal information; or


(b) health information about an individual; or

(c) genetic information about an individual that is not otherwise health information.

The Privacy and Personal Information Protection Act 1998 (NSW) should be amended to provide that the privacy principles apply to personal information held, or collected for inclusion, in a record or generally available publication.

UPP 8 should be amended as follows:

UPP 8. Data Security

8.1 An agency or organisation must take reasonable steps to:

(a) …

(b) …

(c) ensure that personal information it discloses to a person pursuant to a contract, or otherwise in connection with the provision of a service to the agency or organisation, is protected from being used or disclosed by that person otherwise than in accordance with the UPPs.

The Privacy and Personal Information Protection Act 1998 (NSW) should be amended to require an agency entering into a contract for the provision of services with a contracted service provider:

(1) to take contractual measures to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an Information Privacy Principle if done or engaged in by the agency; and

(2) to ensure that the contract does not authorise a contracted service provider for the contract to do or engage in such an act or practice.

UPP 10.4 should be amended so as to remove the exclusion of ABNs from the definition of identifiers.

An agency or organisation being “accountable” for personal information should be defined in UPP 11 to mean:

(a) being responsible for the acts and practices of a recipient of personal information, the subject of a cross-border transfer; and

(b) being liable for a breach of UPP 11 if the acts and practices of the recipient would have amounted to an interference with the privacy of an individual, if done in Australia.

If an agency or organisation in Australia or an external territory transfers personal information about an individual to a recipient who is outside of Australia and an external territory, the agency or organisation should remain accountable for that personal information unless the recipient of the information is subject to a law that effectively upholds privacy protections that are substantially similar to, or more favourable than, the protections afforded by privacy legislation in Australia and that applies in a “listed jurisdiction”. A “listed jurisdiction” is one that is specifically identified in a legislative instrument for the purposes of UPP 11.

In UPP 11 binding schemes should be dealt with in the same way as laws.

The “reasonable belief” test in relation to contracts should be replaced with a test that requires the contract to contain mandatory terms which incorporate privacy protections that are substantially similar to, or more favourable than, the protections afforded by privacy legislation in Australia.

UPP 11.1(b) should be amended to read as follows:

(b) the individual expressly consents to the transfer, after being expressly notified of the following:

(i) the destination jurisdiction/s of the transfer and the likelihood of further transfers;

(ii) the intended recipient/s;

(iii) the intended uses (if known);and

(iv) the consequence of providing consent is that the agency or organisation will no longer be accountable for the individual’s personal information once transferred.

Note 3 to UPP 5 should be deleted and the Note to UPP 11 should be replaced with a note stating that agencies and organisations are subject to the requirements of all other principles when transferring personal information about an individual to a recipient who is outside Australia.