National Privacy Principles (NPPs) 1.3 and 1.5 of the Privacy Act 1988 (Cth) (the Privacy Act) aim to make sure that individuals know who collects personal information about them, the purpose of collection and what happens to the information after it is collected. This helps give individuals some control over information about themselves.
Part A of the information sheet discusses a number of factors relevant to assessing what, and how much, organisations need to do to ensure people are aware of the collection of personal information about them. Part B of the information sheet gives some examples of situations where organisations may need to do relatively little to ensure individuals are aware of the collection of information about them.
The relevant National Privacy Principles
National Privacy Principle (NPP) 1.3 requires an organisation collecting personal information about an individual directly from that individual to 'take reasonable steps to ensure that the individual is aware of:
- the identity of the organisation and how to contact it; and
- the fact that he or she is able to gain access to the information; and
- the purposes for which the information is collected; and
- the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and
- any law that requires the particular information to be collected; and
- the main consequences (if any) for the individual if all or part of the information is not provided.'
In the rest of this Information Sheet this list is referred to as the 'NPP 1.3 matters'.
NPP 1.5 requires that an organisation take reasonable steps to ensure that individuals are aware of the NPP 1.3 matters when collecting information from someone other than the individual, except to the extent that this would pose a serious threat to the life or health of any individual.
This Information Sheet assumes that the reader is familiar with the NPPs and the Privacy Commissioner's Guidelines to the National Privacy Principles or Guidelines on Privacy in the Private Health Sector and other Information Sheets. If an organisation collects information from public sources and is considering reasonable steps under NPP 1.5, Information Sheet 17 - 2003 Privacy and personal information that is publicly available is particularly relevant.
Part A: Reasonable steps to ensure awareness
Some steps are generally required
In most circumstances organisations collecting personal information about an individual need to do something to ensure the individual is aware of the NPP 1.3 matters. Where collecting information directly from the individual, reasonable steps might be as simple as ensuring that a form the individual completes clearly states the organisation's name, why the information is being collected (which may be clear from the name of the form) and includes information about the other NPP 1.3 matters. If an organisation is collecting personal information from someone other than the individual, a reasonable step might be for the organisation to inform the individual of the NPP 1.3 matters when it next contacts them. If there is a relationship between two organisations (for example a contractual relationship or the organisations are related bodies corporate) and only one organisation is in contact with the individual, a reasonable step might be for the organisation that is in contact to take steps to inform individuals about the NPP 1.3 matters on behalf of the other organisation (as well as on its own behalf).
There are some limited circumstances where, in the overall context in which personal information is collected, it is reasonable not to take steps to ensure awareness of NPP 1.3 matters. These are discussed later.
Factors to think about when deciding what is reasonable
Deciding what steps are reasonable involves making a judgment based on the facts of the matter and balancing a number of factors. This is because the NPPs are framed as general principles and necessarily oblige organisations to make judgements about what is reasonable in a particular case and what is consistent with the proper protection of personal information. As a general guide, where the privacy consequences for the individual are greater, where there is likely to be detriment to the individual's interests, or where the information involved is sensitive, then the more likely it will be reasonable for organisations to expend significant effort in satisfying NPP 1.3 or 1.5.
Some factors that may be relevant to the consideration of reasonable steps under NPP 1.3 and 1.5 are discussed below.Tip for compliance
Organisations may find it useful to ask 'would a reasonable person consider it fair in all the circumstances to take these steps to inform individuals of the NPP 1.3 matters?'
An individual's expectations and existing knowledge about the collection
If the individual is already aware of the NPP 1.3 matters then it is likely to be reasonable not to take further steps to comply with NPP 1.3. For example, this might be the case where an organisation regularly updates certain information about the person, has recently informed the person about the NPP 1.3 matters and continues to collect information under the same conditions.
It may also be relevant to consider if the individual would expect, or be aware of, the collection of that information and the NPP 1.3 matters generally. Organisations can alter expectations, for example by engaging in an education campaign directed at individuals whose information the organisation collects. In deciding what steps to take, it may be relevant to consider what is accepted as reasonable practice by consumers, industry and the wider community (although it may be reasonable to improve practices even if they have been considered acceptable previously).
Serious threats to life or health
Where taking steps to ensure awareness of the NPP 1.3 matters would pose a serious threat to the life or health of any individual it would not be reasonable to take those steps. This is explicit in NPP 1.5 and would be part of the assessment of what is 'reasonable' under NPP 1.3.
Sensitivity of the information collected
If the personal information being collected is 'sensitive information' as defined in section 6(1) of the Privacy Act, in most circumstances the individual's consent to the collection is needed under NPP 10. Ensuring awareness of some NPP 1.3 matters would ordinarily be part of the process of seeking informed consent to the collection.
On occasions where consent is not required for the collection of sensitive information, organisations would generally need strong grounds for concluding that there were no reasonable steps to ensure awareness of the NPP 1.3 matters. Some exceptional circumstances are discussed in example (h) in Part B below - 'Health services collecting family, social or medical histories.'
Practicality of taking steps to ensure awareness
An organisation's costs, time and resources are a few of the many factors relevant to judging reasonable steps to ensure awareness of NPP 1.3 matters. If the cost of taking the proposed steps is unreasonable, organisations can consider if there are alternative, less costly ways of ensuring awareness. For example, if it is unreasonable to give detailed notice at the time of collection, in some circumstances it may be reasonable to give brief general information about the purpose of collection at that time, along with advice about where more comprehensive information can be obtained later, such as on a website.
If there are no reasonable steps that can be taken before or when collecting the personal information, it may be reasonable to take steps soon after the information has been collected, for example, when the individual is next contacted. If the organisation is not in direct contact with the individual, and it has collected the personal information from someone else, it may be possible for the organisation that disclosed the personal information to provide information about the NPP 1.3 matters on behalf of the recipient organisation.
Ramifications for the individual
When thinking about reasonable steps to ensure awareness of NPP 1.3 matters, relevant factors include the ramifications of the collection for the individuals and the privacy implications if they are not aware of some or all of the NPP 1.3 matters. For example, the privacy implications for an individual may be greater, in some circumstances, where the information about that individual:
- is collected from someone else (a third party) for a purpose that is not consistent with the reason for which it was collected originally by the third party;
- will be disclosed (particularly where this means the information can be used for another purpose);
- will be combined with other information about the individual; or
- will be used to make decisions that may be detrimental to the individual or contrary to their interests.
Conflicting Legal Obligations(i) Legal professional privilege
Organisations will not need to take steps to ensure the individual's awareness of the NPP 1.3 matters to the extent that to do so would breach a client's legal professional privilege. This might be the case when third party information is collected by a solicitor from a client seeking legal advice. This conclusion is based on the principle that the use of general words in a law (such as the NPPs) will not be sufficient to override fundamental principles of law or depart from the general system of law (of which legal professional privilege is part).(ii) Legal obligations of confidence
If an organisation has collected information about an individual and ensuring the individual's awareness of the NPP 1.3 matters would breach an organisation's duty of confidence, then generally it will be reasonable not to take steps to ensure awareness. Here, organisations would need to satisfy themselves that:
- there are strong legal grounds indicating that a legal obligation of confidence exists;
- the legal obligation would be breached if the individual was made aware of the NPP 1.3 matters; and
- there are no steps that could reasonably be taken to make an individual aware of the NPP 1.3 matters without breaching the obligation of confidence.
The question of whether there is an obligation of confidence can be complex and will depend on the circumstances of each case. It may be appropriate to seek specific legal advice. Duties of confidence arise in some recognised professional relationships, for example between solicitor and client or doctor and patient.
Some contracts may also impose a duty of confidence. The way in which contractual obligations of confidence interact with the NPPs is a complicated area of law. The Office cautions organisations against relying on contractual clauses as the basis for taking minimal awareness-raising steps. In such cases, it would be advisable to seek legal advice.(iii) Statutory obligations
Where taking steps to ensure awareness of the NPP 1.3 matters would conflict with another law, for example a law imposing a secrecy obligation, it will be reasonable for organisations not to take those steps. The organisation should carefully consider whether the law in question genuinely prohibits an individual being informed about any or all of the NPP 1.3 matters.
Prejudice to the purpose of collection where collection is in the public interest
It can be reasonable not to take steps under NPP 1.3 or 1.5 where making individuals aware of the NPP 1.3 matters will prejudice the purpose for which the information is collected and there is a clear public interest in that purpose being achieved. However, even in these circumstances, it may be reasonable to take some steps to ensure the individual is aware of some or all of the NPP 1.3 matters at some point.
Where there is little or no public interest served by the purpose of collection, the organisation will generally need to take some steps to ensure individuals are aware of the NPP 1.3 matters even if taking steps to inform individuals of those matters may be seen as prejudicing the purpose of collection.
An organisation videotapes identifiable people at a community meeting about a matter before a local council. The organisation wants to observe who talked to whom and help understand alliances. Notice of the taping may alter behaviour and undermine the purpose of collection, but there is no overriding public interest in the covert collection of information about this behaviour. In this situation reasonable steps to ensure awareness of the NPP 1.3 matters could include providing notice of the NPP 1.3 matters on the agenda for the meeting and/or giving oral advice of the collection at the beginning of the meeting. Note that in some states there may be state law regulating video surveillance.
To investigate and confirm a suspicion of fraud or unlawful activity it will often be necessary to collect information about an individual's activities without alerting them to the fact that information is being collected for this purpose. Raising awareness about this may give the individual an opportunity to cover-up evidence of unlawful activity. There is a clear public interest in the detection of fraud and unlawful activity.
In the case of fraud investigation which is in the public interest, it will generally be reasonable not to take steps to ensure awareness of the NPP 1.3 matters at the time of collection, where:
- fraud or other unlawful activity is suspected on reasonable grounds;
- information being collected is necessary for the investigation of the suspected fraud or other unlawful activity; and
- there are sound reasons for concluding that providing notice at or before the time of collecting the information would significantly reduce the integrity and usefulness of the information.
However, it is possible that some steps could still be taken at another time. For example, insurance companies could take some steps to make individuals aware of NPP 1.3 matters even when the purpose of collection is to investigate fraudulent claims. They could do this by way of notice at the time a customer takes out an insurance policy, or at the time the customer makes an insurance claim. The notice could include information about the general circumstances in which personal information may be collected about them such as the circumstances in which the insurer might engage a private investigation firm, the circumstances in which the customer could be subject to covert surveillance, what the information collected would be used for and to whom the information would be disclosed. The insurer could provide further information about NPP 1.3 matters on request.(ii) Other possible circumstances
There may be other circumstances where ensuring awareness of NPP 1.3 matters prejudices the purpose of collection and the collection is in the public interest. Investigations of seriously improper conduct, for example, might satisfy the public interest test, but this would depend on the facts of the case.
The public interest is difficult to define; generally speaking, it covers an interest common to the public at large or a significant portion of the public.
The Office cautions organisations against relying on a public interest reason for failing to take steps to ensure awareness under NPPs 1.3 and 1.5 unless it is a case where the public interested is almost universally recognised as it is in the case of fraud and illegal activity.
Tip for good privacy practice
The NPPs generally require openness and transparency about information collection and handling and it is prudent to err on the side of openness.
Part B: Some examples of where there are few or no reasonable steps to ensure awareness
Archivists collecting documents that contain information about third parties
Archivists often collect and hold personal information about people other than the person who gave the documents to them. For example, diaries and letters frequently refer to other people in an identifying way. Archivists do not necessarily know what personal information is contained in the archived material and they may not be in contact with the individuals concerned. Typically, archivists do not use the information but rely on third party researchers to establish the significance of particular information. Archivists can generally impose their own conditions on disclosing archived material and (in some contexts) can rely on researchers following professional ethical standards.
Generally it will be reasonable for an archivist to conclude that there are few, if any, steps required to satisfy NPP 1.5 where the considerations below apply:
there are good procedures in place for protecting individuals' privacy at the time the information is being considered for release (for example, there are procedures requiring consent or notice to third parties whose information is contained in the records that are being considered for release, and their information is not disclosed outside these guidelines);
the archiving organisation is not using the information to make decisions which affect the individual, nor is it likely that other organisations will do so, because of the age of the material;
the cost of ascertaining what personal information is held and notifying those people of the NPP 1.3 matters is burdensome; and
individuals' (and relatives') interests are unlikely to be prejudiced by the information being held by the archiving organisation.
Some steps that might be reasonable include asking the organisation or person providing the documents to the archiving organisation to inform third parties (whose information is contained in the material) that the material has been provided to the archiving organisation and the circumstances under which it will be disclosed.
If the material includes information that an individual is likely to consider very private, the balance of considerations may shift and some steps may be needed. Where the archiving organisation becomes aware it is collecting or has collected sensitive information (as defined in section 6(1) of the Privacy Act), it would then need to consider its obligations under NPP 10 where, generally, consent to the collection is required.
Professional indemnity arrangements
In certain professional indemnity (or professional insurance) arrangements, the indemnifier may collect from a professional, personal information relating to individuals. For example, in some situations, a medical defence organisation (MDO) may collect patient information from a doctor who is indemnified by the MDO. In such cases, the balance of considerations generally mean that the (minimum) reasonable steps to take under NPP 1.5 relate to overall awareness-raising in the community about industry practice in this area, and providing affected individuals with access to further specific information as needed. Such steps might include, in combination:
- the professional (e.g. doctor) notifying individuals that, in certain circumstances, their personal information may be collected by an indemnifier, (this notification could occur for example, in the course of the professional complying with their organisation's initial notification requirements under NPP 1.3);
- industry-level efforts to ensure that, generally speaking, individuals are familiar with the nature of professional indemnity or insurance arrangements, including the sorts of personal information that may flow between professionals and their insurers/indemnifiers, and under what circumstances such information flows generally occur.
A courier or postal service collecting personal information to try to locate a parcel that did not arrive at its correct destination
Where a courier or postal service collects personal information about an addressee while following up a parcel the sender claims was not delivered, it may be reasonable not to take steps to ensure the addressee's awareness of the NPP 1.3 matters in the following combination of circumstances:
- the addressee is aware that the parcel did not arrive, (an individual could reasonably be expected to be aware that their name and address information would be collected by the Post Office or courier company to investigate why a parcel had not arrived);
- the information is being collected and used for a purpose consistent with why it was originally collected (to mail letters etc);
- the information is not being disclosed to another organisation; and
- there is unlikely to be prejudice to the individual's interests.
Financial counsellors collecting third party information during a counselling session
Where a financial counsellor collects personal information about a third party while assisting a person with their financial affairs it may not be necessary for the counsellor to take steps to inform third parties of the NPP 1.3 matters in the following combination of circumstances:
- there are minimal privacy implications for the third party because:
- the counsellor is not making decisions affecting the third party; and
- the counsellor will not disclose any information about the third party;
- there may be a legal obligation of confidence to the person seeking counselling that would be breached by notifying the third party of the collection; and
- the financial counsellor's information handling practices conform to those accepted by the industry and consumers.
In some cases it might be reasonable for the counsellor to encourage their client to inform a third party of the information about the third party that the financial counsellor collects.
It may also be relevant to consider the sensitivity of the third party information collected by the financial counsellor. How much impact this factor has on the assessment of 'reasonable steps' will depend on the particulars of the case.
- there are minimal privacy implications for the third party because:
Personal information collected during due diligence processes when a company is being sold
Information Sheet 16 - 2002 Application of key NPPs to due diligence and completion when buying and selling a business addresses the application of NPP 1.5 in these circumstances.
Information collected from some publicly available sources
Information Sheet 17 - 2003 Privacy and personal information that is publicly available discusses reasonable steps to ensure an individual is aware of NPP 1.3 matters where information is collected from publicly available sources.
An organisation collecting personal information as part of its contractual obligations to another company
Information Sheet 8 - 2001 Contractors discusses the circumstances under which it may not be necessary for a contracting organisation to take steps to notify individuals about the NPP 1.3 matters.
Health Services collecting family, social or medical histories
In the course of considering an application for a Public Interest Determination under s. 73 of the Act (PID 9), the Office formed the view that the accepted practice of health services not notifying third parties of the collection of their health information in the course of collecting family, social or medical histories does not generally breach NPP 1.5.
The Commissioner's consideration of the appropriateness of not taking steps under NPP 1.5 was limited to cases where:
- the collection of the third party's information to include in a consumer's family, social, or medical history is necessary to provide a health service directly to that consumer; and
- the third party's information is relevant to the family, social or medical history of that consumer.
Usually, when a health service provider collects third party information for inclusion in a consumer's family, social, or medical history, it will be reasonable for the provider not to take steps (under NPP 1.5) to notify the third party of the collection. The collection by health services of third party information for inclusion in a health consumer's family, social, or medical history is a well-established and accepted medical practice and is central to the provision of good health care services. The community is generally aware of such collections, and health services seek to ensure that the public is aware of the need for these collections (for example, through appropriate community education).
More information about PIDs 9 and 9A is available on the web at www.privacy.gov.au/materials/types/determinations?sortby=55#2
About Information Sheets
Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.)
Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.
Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.
Organisations may also wish to consult the Commissioner's guidelines and other information sheets.
Office of the Privacy Commissioner ISBN1-877079-45-6 Privacy Hotline 1300 363 992 (local call charge)