The ways that an organisation can handle, that is, collect, manage, use or disclose personal information, are controlled by the Privacy Act 1988 (Commonwealth) (Privacy Act) and the Australian Privacy Principles (APPs) that are contained in Schedule 1 to the Privacy Act. These are administered by the Office of the Australian Information Commissioner (OAIC).
Personal information for the purposes of the Privacy Act and the APPs is information or an opinion about an individual who is identifiable or reasonably identifiable, whether true or not, and whether recorded in a material form or not.
Some personal information is sensitive information, including health and genetic information, and other things like racial, political, religious, philosophical, sexual information and criminal records. The Privacy Act and the APPs contain more stringent conditions in relation to the collection, use and disclosure of sensitive information.
The Privacy Act and the APPs apply to agencies, that is, government bodies, and to organisations that are not agencies. An organisation can be an individual, a company, a partnership, a trust or an unincorporated association. An organisation to which the Privacy Act applies is an APP entity.
Not all businesses or entities, that are not agencies, are organisations for the purposes of the Privacy Act and the APPs. A small business operator that does not carry on any business with an annual turnover of more than $3,000,000 is not an organisation, but, notwithstanding turnover, some entities are specifically excluded from the definition of a small business operator and are, accordingly, an organisation. These include health service providers who hold health information (other than in employee records), entities that disclose or collect personal information for benefit, service or advantage, or provide services to the Commonwealth or are credit reporting bodies.
Confidential information
The APPs dictate how an APP entity can collect, hold and disclose personal information, including sensitive information. An entity that is a small business operator and which is not an APP entity is not specifically required to comply with the APPs, but personal information, particularly sensitive information, that is collected or held by the entity may be confidential in accordance with the provisions of the general law, and it would be very prudent for the entity to treat such information in a similar manner to the requirements of the APPs to ensure confidentiality is preserved.
When is consent required under the APPs?
Consent of an individual may be required for the collection, use or disclosure of personal information, including sensitive information, of the individual by an organisation in accordance with a number of the APPs. The APPs that require consent are set out in the table below (emphasis added). The Privacy Act also has requirements for the collection, use and disclosure of personal information by credit providers, which are not addressed in this article.
Effect of consent
It will be obvious from a perusal of the APPs that an organisation that is an APP entity can collect, use and disclose personal information, including sensitive information, of an individual for most purposes if the consent of the individual is obtained. This will not always be possible, but ideally, organisations should endeavour to obtain consent for the collection, use and disclosure of personal information. This will mean that it will not be necessary to consider difficult concepts such as what an individual would “reasonably expect” or whether the use or disclosure of information is “related” or “directly related” to a primary purpose, where these concepts are relevant.
Privacy policy
APP 1.3 requires an APP entity to have a clearly expressed and up-to-date APP privacy policy, and APP 1.4 requires this to contain the following information:
- the kinds of personal information that the entity collects and holds;
- how the entity collects and holds personal information; and
- the purposes for which the entity collects, holds, uses and discloses personal information; …
Consent for purposes disclosed in a privacy policy
Ideally, in dealings with an individual, an APP entity should draw the Privacy Policy of the entity to the attention of the individual and obtain the consent of the individual to the collection, use and disclosure of personal information, including sensitive information, for the purposes disclosed in the Privacy Policy. This may not always be possible, but where it can be done, it may remove the need to obtain specific consent at a later date.
Nature of consent
Section 6 of the Privacy Act contains a definition of “consent”, which “means express consent or implied consent”. There is no further guidance as to the nature of consent in the Privacy Act or the APPs.
The OAIC, however, does have detailed guidelines in relation to the nature of consent and the manner in which it may be given.
Express consent
The OAIC notes that express consent can be either verbal or in writing. If consent is verbal, an APP entity view would ideally have a record of some sort, possibly a witness or a recording. Obviously, written consent is more certain and should, ideally, be acknowledged by hand or electronic signature.
Implied consent
Implied consent is a difficult concept, and although the OAIC acknowledges that consent can be implied, it notes that this can only occur where it may reasonably be inferred in the circumstances from the conduct of the individual and the APP entity involved. Obviously, it is preferable to have express consent rather than to rely on implied consent.
Elements of consent
The OAIC says that there are four key elements of consent, which are:
- the individual is adequately informed before giving consent;
- the individual gives consent voluntarily;
- consent is current and specific; and
- the individual has the capacity to understand and communicate their consent.
Bundled consent
The OAIC makes particular reference to what it terms “bundled consent”, which means bundling together multiple requests or purposes for consent to collect, use and disclose personal information without allowing the individual to choose and agree to which purpose their consent is to be given.
The OAIC says (OAIC Key Concepts B.49) that:
This practice has the potential to undermine the voluntary nature of the consent. If a bundled consent is contemplated, an APP entity should consider whether:
- it is practicable and reasonable to give the individual the opportunity to refuse consent to one or more proposed collections, uses and/or disclosures;
- the individual will be sufficiently informed about each of the proposed collections, uses and/or disclosures; and
- the individual will be advised of the consequences (if any) of failing to consent to one or more of the proposed collections, uses and/or disclosures.
Persons with a disability
If there is doubt as to whether an individual has the capacity to understand and communicate their consent or the legal capacity to give consent, it may be that there is another person available who can provide consent on behalf of the individual.
Persons who could provide consent on behalf of another individual could be (in South Australia):
- an attorney of the individual appointed under an enduring general power of attorney;
- a guardian appointed by a guardianship order under the provisions of the Guardianship and Administration Act 1993 (SA);
- a guardian appointed as an enduring guardian under now repealed provisions of the Guardianship and Administration Act;
- a substitute decision-maker appointed by an advance care directive under the Advance Care Directives Act 2013 (SA); or
- for a minor, a parent or other guardian of the minor.
Copies of appointment documents
If another person gives consent on behalf of an individual to collect, use or disclose personal information by an APP entity, the entity should sight and retain a copy of the instrument that gives authority to the person providing consent, such as a Power of Attorney, Advance Care Directive or Order of Appointment of Guardian.
Certified copies
A copy of a document evidencing the authority of a person to give consent on behalf of an individual should ideally be certified to be a true copy. Other than for Advance Care Directives (ACDs), there are no specific requirements relating to this, but it is best practice. There are also no specific requirements, other than for ACDs, as to who may certify a copy to be a true copy. Often, it is requested that this should be someone with authority, such as a JP or a lawyer/Commissioner for Affidavits.
It is sometimes suggested that a Notary Public should certify true copies, but if the document is to be used in Australia, this is not necessary, and it is not an appropriate act for a Notary Public.
For ACDs, certified copies are required to be produced for health practitioners. Electronic copies may be produced via the My Health Record system or the Sunrise EMR system (or other approved systems, if any). The ACD document must be certified as a true copy of the ACD by a person who is a suitable witness in accordance with Schedule 1 of the Advance Care Directives Regulations 2014.
Medical witnesses
If an individual has an incapacity, or if there is doubt as to the capacity of an individual to give consent, and another authorised person is not available to provide consent, it would be advisable for the signature or verbal giving of consent to be witnessed by a medical practitioner who could certify that the person giving consent satisfies the elements required for consent that are outlined by the OAIC.
Refer to the Privacy Act and the APPs
The comments above are only a brief summary. If there is any doubt as to the requirements for consent, or the giving of consent, or collection, use or disclosure of personal information, particularly sensitive information, regard should be had to the provisions of the Privacy Act and the APPs.
DW Fox Tucker can provide assistance in relation to any of these matters and in relation to a review of privacy policies or documents or means to obtain effective consent in relation to the collection, use and handling of personal information.