National Register of Enduring Powers of Attorney: Public Consultation Paper

Part 3: The OAIC and application of the Privacy Act 1988 (Cth)

3.1 The OAIC regulates the Privacy Act 1988 (Cth) (Privacy Act), which sets out how organisations with an annual turnover of more than $3 million and most Australian Government agencies (APP entities) must collect, use and disclose individuals’ personal information.

3.2 The 13 legally binding Australian Privacy Principles (APPs) contained in the Privacy Act establish standards, rights and obligations for APP entities in relation to collection,[6] use and disclosure,[7] security,[8] access to and correction of personal information.[9] Sensitive information is generally afforded a higher level of protection under the APPs, in recognition that inappropriate handling of sensitive information can have significant adverse consequences for an individual.

3.3 The Consultation Paper provides that the National Register will collect, use and disclose information about EPOAs, including copies of EPOAs. Information contained in an EPOA, and therefore captured by the National Register, may include:

1. Full names, addresses and contact details of principals, attorneys and prescribed witnesses,[10]
2. Financial powers that principals provide to their attorneys,[11]
3. Commencement time of the EPOA including when the document is signed or when a medical practitioner provides a document certifying that the principal can no longer manage their own affairs.[12]

3.4 This information is personal information as defined in the Privacy Act.[13] Where an EPOA commences upon medical incapacity this will also be sensitive information as it implies information about the principal’s health.

3.5 We note that the National Register will be implemented under Commonwealth legislation and operated by a Registering Authority and System Owner. If the Registering Authority and/or System Owner are APP entities, then the Privacy Act and APPs will apply to the handling of personal information contained in the National Register. The application of the Privacy Act to the National Register will ensure individuals have enforceable privacy rights in relation to the handling of their personal information by the Register and that personal information in the Register is protected from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

Part 4: Collection of personal information and data minimisation

4.1 The purpose of the National Register is to assist in determining the existence of EPOAs relating to financial matters and provide transparency about those arrangements to prevent financial abuse of older Australians.[14]

4.2 The final proposal for the policy design of the National Register should clarify whether registration on the Register will be mandatory for all EPOAs relating to financial matters, including EPOAs made by younger Australians, or whether only EPOAs of older Australians will be caught under the mandatory registration provisions.

4.3 We recommend that the National Register only collect the minimum amount of personal information that is reasonably necessary to achieve the objectives of the Register.[15] This requires careful consideration of each data point collected against the policy objectives of the Register, ensuring that unnecessary information is either not collected, or deleted when no longer required.

4.4 We recommend that AGD consider the privacy risks where personal information is collected but does not result in the completion and registration of an EPOA. Personal information that is not required for the purpose of the National Register should not be retained. AGD should consider the implementation of mechanisms to identify information that has been collected and stored, and prompt either completion and registration of the EPOA or trigger an automatic deletion of the personal information where it is not reasonably necessary for the objectives of the Register.

4.5 The objectives of preventing financial abuse of older Australians and sharing information about EPOAs relating to financial matters should be clearly articulated and specified in the primary Commonwealth legislation underpinning the National Register. Information that is not reasonably necessary to achieve these objectives should not be collected and stored on the National Register. This will avoid unnecessary risk that this information will be inappropriately accessed, used or disclosed.

4.6 Additionally, we recommend that the primary legislation underpinning the National Register should clearly prescribe the categories of personal and sensitive information to be collected and how information can be used and disclosed.

4.7 Consideration should be given to practical ways to ensure that unnecessary information is not collected and included on the National Register, for example, the redaction of some information from scanned hard copy EPOAs.

4.8 We recommend that AGD consider how APP 3 will apply to the collection of sensitive information from relevant parties, [16] giving particular consideration to whether consent will need to be obtained from individuals whose information is provided to the National Register by a third party such as attorneys and prescribed witnesses and how that consent should be obtained. [17]

4.9 In particular, consideration should be given to how APP 3 will apply to the collection of sensitive information from principals who have lost capacity to provide consent at the point at which a National Register (and any mandatory requirements to register) come into operation.[18]

Part 5: Transparency

5.1 Any personal information in the National Register must be managed in an open and transparent manner.[19] Individuals must be informed about how their personal information will be handled and how they can exercise their rights under the Privacy Act in the event that any of their personal information contained in the National Register is compromised.

5.2 The National Register should have a tailored APP privacy policy which clearly sets out how individuals’ personal information will be handled.[20] Individuals will need to be provided with a comprehensive APP 5 notice setting out the information handling practices of the National Register when uploading information regarding their EPOA to be registered in the system, whether online or in person.

5.3 In particular, individuals will need to be clearly informed about who will have access to their personal information, and the circumstances in which their personal information will be disclosed, once it is contained in the National Register.

5.4 In preparing the final proposal for the Register, we recommend that AGD consider how individuals whose personal information is provided to the National Register by another person (e.g. attorneys, prescribed witnesses and potentially any medical practitioners attesting to capacity) will be provided with the information required by APPs 1 and 5.

5.5 The Consultation Paper does not discuss accountability, complaint, and redress mechanisms for alleged privacy breaches. We recommend that the final proposal for the National Register include a robust accountability and oversight framework to ensure responsible and accountable personal information management.

Part 6: Disclosure of personal information

6.1 The Consultation Paper proposes six categories of individuals and entities to whom personal information related to an EPOA may be disclosed. These are:

1. principals and attorneys who will have full access to EPOAs to which they are a party
2. entities with a legitimate business or public interest need for real time access such as public advocates, public guardians, tribunals and courts and land titles offices
3. financial institutions who would have ongoing real time access to EPOAs relevant to financial transactions they are conducting, with permission from the principal and/or attorney
4. entities and individuals conducting one-off financial transactions with permission from principals and/or attorneys
5. other entities and individuals with a legitimate need to access the Register and with the permission of the principal and/ or attorney
6. the System Owner and Registering Authority to support the performance of their role.[21]

6.2 The Consultation Paper specifies that access will be limited to individuals and entities with a legitimate need to see a particular EPOA in order to assist in the prevention of financial abuse of older Australians.[22] We suggest that the proposed categories of individuals/entities with a ‘legitimate need’ should be subject to a detailed assessment of whether their access to personal and sensitive information in the register is reasonable, necessary and proportionate to this policy objective, and whether each category of individual/ entities requires access to all the information, or only a subset of the information. For example, it may be unnecessary for the personal information of witnesses contained in an EPOA to be disclosed to all categories of individuals set out in the Consultation Paper.

6.3 The Consultation Paper contemplates three options to address the issue of dual registration of EPOAs on the National Register and on state and territory land titles registers.[23] One of the options involves a direct disclosure of EPOAs to state and territory land titles offices. We recommend that AGD consider any privacy risks in relation to this proposed data flow, noting that state and territory land titles registers do not fall within the jurisdiction of the Privacy Act, and that that not all states and territories have privacy legislation. The mechanism to prescribe a state authority or instrumentality as an organisation under section 6F of the Privacy Act should be considered in order to address any gaps in oversight.

6.4 In addition to state and territory land titles offices, some individuals and entities to whom personal and sensitive information will be disclosed – including small business operators – may not be covered by the Privacy Act. We recommend that AGD consider the risks associated with disclosing personal and sensitive information to third parties who are not subject to any privacy requirements.

6.5 We recommend that consideration be given to requiring these entities to opt-in to coverage under the Privacy Act to the extent that they handle information disclosed from the Register.[24] A further option that warrants consideration is prescribing recipients of information from the Register as an organisation under section 6E(1) of the Privacy Act.

6.6 Consideration could also be given to other mechanisms, noting their limitations, to extend privacy obligations to third parties, such as through the inclusion of contractual privacy provisions in the terms and conditions that third parties are required to accept when interacting with and searching the Register and enforceability mechanisms.

6.7 Generally, personal information contained in the National Register should only be used or disclosed with the consent of the individual to whom the information relates.[25] This threshold is higher in relation to use and disclosure of sensitive information.[26] Consent is not required if there is a law requiring or authorising the relevant disclosure of personal information. [27]

6.8 In developing the final proposal for the National Register, AGD should consider how information will be disclosed to individuals and entities with a legitimate need in accordance with APP 6. The final proposal should clarify whether consent will be required for disclosure to each of the contemplated categories of individuals and entities or whether legislation will authorise such disclosures. If legislation is used to authorise disclosure, we recommend that the purposes of disclosure and the individuals and entities to whom information can be disclosed should be clearly and narrowly prescribed in the primary legislation underpinning the National Register.

6.9 We note that the Consultation Paper seeks feedback on any circumstances in which access should be provided without the consent of the attorney or principal to whom the EPOA relates. Consideration should be given to how the privacy of individuals will be balanced with the policy objective of protecting older Australians from financial abuse in situations where consent cannot be obtained, such as where the principal does not have capacity to consent and their attorney refuses to grant permission as part of their financial abuse of the principle.

Part 7: Security, quality, access and correction of personal information

7.1 The Consultation Paper gives limited consideration to the security framework that will support the National Register and ensure compliance with APP 11.[28]

7.2 We recommend that consideration be given to the implementation of strong security measures to protect personal information in the National Register.[29] This includes building in privacy by design into the development of the digital infrastructure and its implementation. For example, regular testing of software underpinning the Register can assist in identifying and resolving any flaws that can lead to privacy breaches. Similarly, the use of audit logs to maintain a record of system activities relating to the Register can assist in detecting and investigating any privacy incidents that may occur. Systems for notifying parties when their information is accessed should also be considered, such as SMS notifications. A PIA would assist in informing the relevant security risks and identifying steps for managing, minimising or eliminating those risks.

7.3 We seek to reiterate comments made in our submission to the ALRC Inquiry and emphasise that access to the National Register should be restricted, tightly controlled, and monitored. Access controls should ensure that only authorised people – such as the Registering Authority, the System Owner and their employees – are able to access the information which they need in order to fulfil their specific functions or duties. Any access to the Register by state and territory entities, such as land titles offices, public guardians and trustees, should be subject to the completion of appropriate, tailored training to ensure that entities comply with a data minimisation approach and are only able to access or extract information that is necessary. This will mitigate against the risk of inappropriate access to personal information, such as unrestricted browsing of the Register, as well as against misuse, interference, loss, unauthorised access, modification or disclosure.

7.4 The entity responsible for the National Register will likely also have obligations under the Notifiable Data Breach (NBD) scheme to notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.[30] The National Register will need to have in place appropriate mechanisms to support compliance with the NBD scheme and to enable affected individuals whose personal information has been compromised in a data breach to take remedial steps to minimise the adverse impacts that may arise from the breach.

7.5 We note that the National Register will have a System Owner and a Registering Authority who will have access to the Register. We recommend that consideration be given to the privacy and security credentials of the System Owner and the Registering Authoring, including ensuring appropriate governance arrangements are in place between the two.

7.6 Given the sensitivity of information being collected and the purpose of reducing financial abuse of older Australians, we recommend that AGD give due consideration to the appropriate location for the storage of all personal information held by the National Register. The 2020 Australian Community Attitudes to Privacy Survey reveals that three quarters of Australians consider an organisation sending consumers’ data to an overseas processing centre to be a misuse of personal information.[31] Forty-one percent of Australians believe that sending information overseas is one of the biggest privacy risks people face today, and fifty-six percent are very concerned about their personal information being sent overseas.[32] Importantly, older Australians are most likely to be concerned about the overseas disclosure of personal information.

7.7 Noting the sensitivity of the information involved, and in line with these Australian community expectations and concerns, we recommend that consideration be given to requiring this information be stored in Australia.

7.8 Consideration should also be given as to what processes and procedures can be implemented to ensure that information is deleted from the Register once it is no longer required, such as any EPOAs that have been superseded by new EPOAs.[33] This might involve the deletion of information collected during the earlier phases of EPOA development, particularly in circumstances where engagement in those earlier phases did not result in a completed and registered EPOA.

7.9 APP 10 requires an entity to take reasonable steps to ensure that the personal information that the entity collects is accurate, up-to-date and complete. As the possible adverse consequences for an individual whose personal information is not accurately detailed in the Register may be significant – for example, a financial institution may incorrectly approve a financial transaction disadvantaging the principal – reasonable steps will be required of the entity maintaining the National Register to ensure the ongoing quality of that information.[34] We recommend that consideration be given to what steps should be taken to ensure the quality of personal information, such as the implementation of internal practices, procedures and systems to audit, monitor, identify and correct poor quality personal information. Automatic notifications could be built into the Register to remind individuals to update their personal information each time that their EPOA is accessed.

7.10 APPs 12 and 13 require an entity to give individuals access to, and request correction of, their personal information held by that entity. In developing the final proposal for the National Register, AGD should consider how the National Register will comply with these access and correction requirements whilst maintaining the integrity of these important documents. For example, a mechanism should be implemented to allow witnesses’ whose information is stored in an EPOA to request access to and correction of their information.

7.11 We note that the Consultation Paper provides that the National Register will enable individuals to apply to revoke an existing EPOA online and for attorneys to apply to resign their roles. We recommend that AGD contemplate how the design of these processes will interact with the requirements of APPs 12 and 13.

7.12 The OAIC looks forward to continuing engagement with AGD to ensure important privacy safeguards are considered during the policy development of the National Register. We are available to be consulted in relation to Privacy Impact Assessments and any specific privacy issues that arise as this policy proposal is further developed.

7.13 If you would like to discuss these comments or have any questions, please contact the OAIC.