Our reference: D2016/005641
Ms Sabina Wynn
Australian Law Reform Commission
GPO Box 3708
Dear Ms Wynn
Submission to ALRC Issues Paper 47 on Elder Abuse
I welcome the opportunity to comment on the Australian Law Reform Commission’s (ALRC) Elder Abuse – Issues paper 47, published as part of its inquiry into laws and frameworks to safeguard older Australians from abuse.
The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency headed by the Australian Information Commissioner. The Commissioner has a range of functions and powers directed towards protecting the privacy of individuals under the Privacy Act 1988 (Cth) (the Privacy Act). The Privacy Act applies to Australian government agencies, organisations with an annual turnover of more than $3 million, as well as to some small businesses, such as all private sector health service providers.
My comments below relate to discussions in the Issues Paper regarding the potential need to change legal frameworks, including privacy legislation, to better identify and respond to elder abuse. I have also commented on a proposal raised in question 8 of the Issues Paper to implement income management for older Australians who receive social security payments and are identified as being at risk of financial exploitation.
Assessing whether the legal framework is an obstacle to addressing elder abuse
There are a number of references in the Issues Paper that suggest legal frameworks, including privacy legislation, may be an obstacle to reporting and responding to elder abuse. For example, the Issues Paper considers that relevant legislation and codes in Australia could possibly be amended to protect financial institutions from breaching privacy legislation when suspected financial abuse is reported in good faith. It is also noted that clinician-patient confidentiality in the health context, and the operation of privacy laws, may need to be considered further when developing specific policies for health professionals to report suspected elder abuse.
In line with these observations and examples, Question 38 of the Issues Paper asks, ‘What changes should be made to laws and legal frameworks, such as privacy laws, to enable hospitals to better identify and respond to elder abuse?’
In considering whether privacy legislation is an obstacle to addressing elder abuse, and what changes may be required, it is important to first have an understanding of exactly if and how privacy legislation hinders an adequate response. Privacy is often named as a barrier to sharing or accessing personal information, but upon closer examination that is not usually the case. For this reason, I suggest that examples of elder abuse need to be carefully assessed against applicable privacy legislation, including the Privacy Act, to determine whether that legislation is in fact an obstacle, and to identify any specific impediments that may need to be addressed via legislative change.
It is worth noting that there are provisions in the Privacy Act which create exceptions to permit the collection, use and disclosure of personal information in circumstances not generally authorised by the Privacy Act. I have outlined below two of these provisions which may be relevant to certain incidents of elder abuse.
‘Serious threat’ exception
The Privacy Act contains exceptions to the Australian Privacy Principles (APPs) which exclude certain information handling practices from the operation of one or more APPs where the practice is considered to be in the public interest when balanced with the interest in protecting an individual’s privacy. There is an exception under the Privacy Act to the usual principles governing the collection (APP 3), and use and disclosure (APP 6) of personal information where information needs to be collected, used and disclosed in order to lessen or prevent a serious threat to an individual. The ‘serious threat’ exception is known as a ‘permitted general situation’ under the Privacy Act and is detailed in s 16A, item 1.
In this context, a serious threat is a threat to life, or to physical or mental health or safety. It could include a potentially life threatening situation or one that might reasonably result in other serious injury or illness.
In order for this exception to apply, an organisation or agency must reasonably believe that the collection, use or disclosure of information is necessary to prevent a serious threat to the life, health or safety of any individual, or to public health or safety. It must also be unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure of their information. For example, if a healthcare provider reasonably believes that a patient is suffering from neglect in their aged care home, which seriously threatens the patient’s life, health or safety, and it is unreasonable or impracticable to obtain the patient’s consent, the healthcare provider could rely on this serious threat exception to disclose information to the relevant authorities.
Further information on this exception, including what constitutes a serious threat to life, health or safety, is available in Chapter C of the APP Guidelines.
‘Required or authorised by law’ exception
Another exception to the usual principles governing collection, use and disclosure of personal information is where the collection, use or disclosure is ‘required or authorised by or under an Australian law or a court/tribunal order.’ Under section 6 of the Privacy Act, the definition of ‘Australian law’ includes a rule of common law or equity. This means that if, for example, the common law duty of care owed by an organisation or agency in a particular situation means that elder abuse needs to be reported, acting in accordance with that duty of care would not breach the Privacy Act as it would be ‘authorised by law’.
The Issues Paper explains that elder abuse may involve the social security system. This can occur, for example, when a ‘payment nominee’ receives an older person’s income support payments on that person’s behalf and subsequently misuses the payments. As a potential solution to economic abuse or financial exploitation of older Australians receiving social security payments, the Issues Paper canvasses the suitability of income management and asks in Question 8, ‘What role is there for income management in providing protections or safeguards against elder abuse?’
Income management raises unique privacy risks as it generally involves a broader collection of social security recipients’ personal information, such as where individuals have shopped, what they have bought and the services they access. This information has the potential to reveal a lot about an individual’s preferences and lifestyle. If it is mishandled, it also has the potential to embarrass individuals or to lead to discrimination against them, particularly in small regional or remote communities.
If income management is considered as a possible solution to the problem of financial exploitation, the potential privacy risks of such a scheme would need to be assessed. This could be done by conducting a Privacy Impact Assessment (PIA), which is a systematic assessment of a project that identifies the impact that a project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. A PIA on income management could include, for example, assessing the amount and type of personal information that is being handled about the older person, and potentially about their payment nominee if the nominee’s spending of the older person’s social security payments is also being monitored.
In addition to expanding the types of information collected about social security recipients, income management schemes can also involve authorising by law the increased information sharing between a broader range of agencies and organisations. If information sharing powers are expanded, consideration will need to be given to whether this expansion is necessary, proportional and the least privacy invasive option. Any intrusions on individuals’ privacy need to be appropriately balanced with the overall public policy objectives of an income management scheme.
In the event that an income management scheme for older Australians is proposed or elaborated on in greater detail in the inquiry’s final Discussion Paper, I would welcome engagement with the ALRC to discuss potential privacy issues related to such a scheme.
I would welcome any engagement on the perceived barriers to addressing elder abuse so I can better understand exactly where the Privacy Act is considered an obstacle. Furthermore, the OAIC would be pleased to be involved in any discussions with the ALRC about the potential privacy risks which may arise in the implementation of other proposals, such as income management.
Please do not hesitate to contact Melanie Drayton, Director Regulation and Strategy, at [contact details removed] if you would like to discuss our submission further.
Timothy Pilgrim PSM
Australian Privacy Commissioner
Acting Australian Information Commissioner
24 August 2016
 Under the Australian Information Commissioner Act 2010, the OAIC also has freedom of information and information policy functions.
Was this page helpful?
If you would like to provide more feedback, please email us at firstname.lastname@example.org