Submission to the Royal Commission into Institutional Responses to Child Sexual Abuse consultation paper
I welcome the opportunity to comment on the Royal Commission’s ‘Criminal Justice’ consultation paper (the consultation paper), published as part of its inquiry into institutional responses to child sexual abuse. My submission addresses the issues raised in Chapter 4, particularly the operation of privacy laws and whether these limit or create difficulties for institutions when responding to current allegations of child sexual abuse.
The consultation paper focusses on circumstances where an institution may need to share information with a broad group of people. Specifically, where the alleged perpetrator has recently been working or volunteering at the institution, there may be a need to identify other affected children and to prevent harm to other children that may be at risk. In these circumstances, the institution may need to share information with others in the institution, children and parents, the broader community or the media.
Sharing information in these circumstances necessarily raises privacy issues and any disclosure needs to be carefully considered. Personal information associated with allegations of child sexual abuse is highly sensitive and inappropriate disclosure could have significant consequences, for both victims and alleged perpetrators. However, the right to privacy is not absolute and, in some circumstances, privacy rights will give way where there is a compelling public interest reason to do so. My comments below outline some key privacy considerations for institutions when sharing information, including exceptions to the Privacy Act 1998 (Cth) (the Privacy Act) that can facilitate disclosure in the circumstances described in the consultation paper.
The Office of the Australian Information Commissioner and the Privacy Act
The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency within the Attorney-General’s portfolio. The OAIC integrates three key functions:
- ensuring proper handling of personal information in accordance with the Privacy Act and the Australian Privacy Principles (APPs), which set out the standards, rights and obligations in relation to the handling of personal information
- protecting the public’s right of access to documents under the Freedom of Information Act 1982 (Cth)
- providing advice to government on information policy and practice in accordance with the Australian Information Commissioner Act 2010 (Cth).
The Privacy Act applies to Australian government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private sector health service providers and some small businesses (collectively called ‘APP entities’). Many private sector educational organisations and institutions are covered by the Privacy Act either because they:
- have an annual turnover of more than $3 million (or are connected to a larger organisation with a turnover of more than $3 million)
- provide a health service and hold health information (even if providing a health service is not their primary activity).
This includes most private childcare centres, private schools and private tertiary educational institutions. However, some acts and practices are exempt from the application of the Privacy Act. For example, in certain circumstances, an organisation’s handling of employee records in relation to current and former employment relationships is exempt from the APPs. The APPs will still apply to an organisation’s handling of personal information about volunteers as the employee records exemption only applies where there is an employment relationship.
The Privacy Act generally does not apply to State and Territory government agencies. Instead, where they exist, state and territory laws create information privacy requirements similar to those under the Privacy Act (the exceptions are Western Australia and South Australia). These generally apply to state and territory government agencies as well as local councils, state and territory government owned corporations and universities.
Whether privacy laws limit disclosure
The consultation paper states that, ‘we have been told that privacy and defamation laws may limit what institutions can disclose when they are responding to current allegations of institutional child sexual abuse.’ In considering whether privacy legislation hinders an institution’s ability to respond to current allegations of abuse, it is important to first have an understanding of exactly if and how privacy legislation hinders an adequate response.
Privacy is often named as a barrier to sharing or accessing personal information, but upon closer inspection this may not be the case. One of the main impediments to information sharing can be a general reluctance to disclose personal information, due to a number of misunderstandings about obligations under privacy and other laws. For instance, other legal or policy issues that may impact on an institutions’ ability to disclose information include defamation laws, its duty of care, any obligations of confidentiality, and the need to ensure procedural fairness and avoid interference with police or judicial processes.
Rather than preventing the sharing of personal information, the Privacy Act places important limitations around the circumstances under which it can be collected, used and disclosed. For this reason, I suggest that any issues faced by institutions in deciding whether to disclose information be carefully assessed against applicable privacy legislation, including the Privacy Act, to determine whether that legislation is in fact an obstacle, and to identify any specific impediments that may need to be addressed via legislative change.
Will personal information be disclosed
A key consideration for institutions will be what information to disclose in any communication with parents, the community or the media. Specifically, in the context of privacy, it is necessary to consider whether personal information will actually be disclosed. Under the Privacy Act, ‘personal information’ means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not, and whether the information is recorded in a material form or not.
What constitutes personal information will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances. An individual does not need to be named to be identified or reasonably identified – it is enough that within a group of persons, they are ‘distinguished’ from all other members of a group so that they are reasonably identifiable.
In the context of allegations of abuse, it may be possible for institutions to make broader notifications to parents and the community, without identifying the alleged perpetrator or victim. Whether an individual is reasonably identifiable by a communication will depend on the level of detail in the communication, such as how specifically the particular institution is identified, and whether or not any particulars are provided about the alleged incident(s). The number and type of recipients will also be a key consideration. Where information is made available to members of a small community, such as a school community, this information might more readily identify an individual.
Information sharing under the Privacy Act
As outlined above, personal information associated with allegations or complaints about sexual abuse is highly sensitive. In this context there is the potential for individuals, both complainants and alleged perpetrators, to suffer serious consequences, including shame, stigmatisation and discrimination, as a result of the inappropriate use or disclosure of personal information. At the same time, there a number of reasons why disclosure may be appropriate or even necessary, including to identify and protect other children who may be at risk and to obtain information that may be relevant to the investigation process.
The sharing of personal information is governed by the collection, use and disclosure provisions in the APPs. Of particular relevance is APP 6, which states that personal information about an individual can only be used or disclosed for the particular purpose for which it was collected (known as the ‘primary purpose’), unless an exception applies. For example, if an institution has collected information from the police for the purposes of sharing that information with parents of children that are involved with the institution, it would be able to use or disclose it for that purpose, without having to rely on an exception. It is important that institutions are clear as to the purposes for which they are collecting personal information and the purpose for which they subsequently wish to disclose it.
Additionally, there are a number of exceptions to the Privacy Act that may operate to facilitate disclosure of information by institutions when responding to allegations of child sexual abuse.
Where the individual has consented to the use or disclosure
APP 6.1(a) permits an APP entity to use or disclose personal information for a secondary purpose where the individual has consented to the use or disclosure. While an alleged perpetrator is unlikely to consent to the dissemination of information about the allegations, victims’ may provide consent to the disclosure of their information for a particular secondary purpose, such as to identify additional victims. In these circumstances, the entity disclosing the information should ensure that it has reached a clear understanding of the intended purpose(s) of the disclosure and has informed the victim of this purpose prior to obtaining their consent.
Reasonable expectations and related to the primary purpose
APP 6.2(a) permits an APP entity to disclose personal information for a secondary purpose if the individual would reasonably expect the entity to disclose the information for that secondary purpose, and:
- if the information is sensitive information, the secondary purpose is directly related to the primary purpose of collection, or
- if the information is not sensitive, the secondary purpose is related to the primary purpose of collection.
The ‘reasonably expects’ test is an objective one that has regard to what a reasonable person, who is properly informed, would expect in the circumstances. This is a question of fact in each individual case. An example of where an individual may reasonably expect their personal information to be used or disclosed for a secondary purpose is where an entity has notified the individual of the particular secondary purpose. For instance, institutions could consider including in documentation that employees and volunteers sign upon commencement, that their personal information may be disclosed for child protection and investigative purposes if an allegation is made against them. This notification may assist in creating a ‘reasonable expectation’ that personal information may be disclosed for that particular secondary purpose.
Required or authorised by law
Another exception to the usual principles governing collection, use and disclosure of personal information is where the collection, use or disclosure is ‘required or authorised by or under an Australian law or a court/tribunal order’. Under s 6 of the Privacy Act, the definition of ‘Australian law’ includes a rule of common law or equity. For example, the common law duty of care owed by an institution may require it to share information to identify, or prevent harm to, children that may be at risk (such as an obligation to warn). Acting in accordance with such a duty of care would not breach the Privacy Act as it would be ‘authorised by law’.
Lessening or preventing a serious threat to life, health or safety
The ‘serious threat’ exception enables personal information to be used and disclosed in order to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. This exception is known as a ‘permitted general situation’ and is contained in s 16A, Item 1 of the Privacy Act.
In order for this exception to apply, an institution must reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. It must also be unreasonable or impracticable to obtain the individual’s consent to the use or disclosure of their information.
A ‘serious’ threat is one that poses a significant danger to an individual or individuals. The likelihood of a threat occurring as well as the consequences if the threat materialises are both relevant. This permitted general situation would not apply after the threat has passed. This exception may apply in circumstances where allegations have been made about an individual, the individual is likely to have contact with children and the entity believes that disclosure is necessary to lessen or prevent a serious threat to them.
An institution should be able to point to one or more clear reasons that make it unreasonable or impracticable to obtain an individual’s consent. A relevant consideration would include the source of the threat. For example, it may be unreasonable to seek consent from the individual posing the threat where that individual could reasonably be anticipated to withhold consent, or where the act of seeking that individual’s consent could increase the threat. In contrast, it is less likely to be unreasonable or impracticable to seek to obtain consent from a victim, where the entity considers it is necessary to disclose their personal information.
Taking appropriate action in relation to unlawful activity or serious misconduct
This permitted general situation enables an APP entity to use or disclose personal information for a secondary purpose where it has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in, and it reasonably believes that the use or disclosure is necessary in order to take appropriate action in relation to the matter.
This permitted general situation is intended to apply to an APP entity’s internal investigations about activities within or related to the entity. Whether action is ‘appropriate’ will depend on the nature of the suspected unlawful activity or misconduct and the nature of the action that the APP entity proposes to take. Appropriate action may include investigating an unlawful activity or serious misconduct and reporting these matters to the police or another relevant person or authority. While this permitted general situation would facilitate communication within the institution, it is unlikely that a general notification to parents or the broader community would be considered to be appropriate action unless it was for the purposes of seeking further information to assist the investigation.
Enforcement related activities
This exception will apply where the entity reasonably believes that the use or disclosure of the personal information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
‘Enforcement related activities’ is defined in s 6(1) and includes the prevention, detection, investigation and prosecution or punishment of criminal offences and intelligence gathering activities. ‘Enforcement body’ is defined in s 6(1) as a list of specific bodies and includes Commonwealth, State and Territory bodies that are responsible for policing, criminal investigations, and administering laws to protect the public revenue or to impose penalties or sanctions. This exception would permit the disclosure of personal information to a law enforcement body such as the police for investigation.
As outlined above, the Privacy Act creates a flexible framework for the sharing of information in appropriate circumstances. Rather than preventing the sharing of information, privacy law places important limitations around the circumstances under which it can be collected, used and disclosed, consistent with the community’s expectations. Impediments to appropriate information sharing often include a general reluctance to disclose personal information due to misunderstandings of privacy law, which can give rise to a risk averse culture within agencies.
My Office has produced a range of guidance materials to assist entities understand their privacy obligations. In particular, I encourage all APP entities to develop a robust privacy management framework, that seeks to embed a culture of privacy that enables compliance, while building in safeguards that facilitate appropriate information sharing. Interested parties may wish to consider the OAIC’s Privacy management framework document which can be found on our website.
I would welcome any further engagement on the issues discussed in this submission. My Office would also be pleased to work with the Royal Commission in the development of any guidance material to assist institutions ensure they are acting in accordance with relevant privacy principles when responding to allegations of child sexual abuse.
Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner
 The term ‘APP entity’ is defined in s 6(1) of the Privacy Act. The term ‘organisation’ is defined in s 6C of the Privacy Act, and the term ‘small business operator’ is defined in s 6D of the Privacy Act.
 This does not generally include State or Territory government bodies.
 See s 7B(3) of the Privacy Act.
Privacy and Personal Information Protection Act 1998(NSW); Information Privacy Act 2009 (Qld); Premier and Cabinet Circular No 12 (SA); Personal Information Protection Act 2004 (Tas); Privacy and Data Protection Act 2014 (Vic); Information Privacy Act 2014 (ACT); Information Act (NT). For more information about State and Territory privacy laws, please see Other privacy jurisdictions on the OAIC’s website.
 Section 6(1) of the Privacy Act.
 For more information about the relationship between the primary and secondary purpose, see the APP Guidelines available on the OAIC’s website.
 See APP 6.2(b) in Schedule 1 of the Privacy Act.
 The information handling requirements imposed by some APPs do not apply if a ‘permitted general situation’ exists. For more information, see the APP Guidelines available on the OAIC’s website.
 See s 16A, Item 2 of the Privacy Act.
 Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 67.
 See APP 6.2(e), Schedule 1 of the Privacy Act.
 See www.oaic.gov.au/agencies-and-organisations/guides/privacy-management-framework
Was this page helpful?
If you would like to provide more feedback, please email us at email@example.com