Part 1: Introduction
1.1 The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Attorney-General’s Department’s (AGD) National Register of Enduring Powers of Attorney – Public Consultation Paper (the Consultation Paper).
1.2 The Consultation Paper seeks feedback on possible arrangements for a National Register of Enduring Powers of Attorney (the National Register). The Consultation Paper sets out the proposed key features of the National Register, including the policy design and access arrangements for the National Register:
- The National Register will be a centralised, online database containing all new and existing enduring powers of attorney (EPOAs) relating to financial matters made across Australia.
- Registration of an EPOA will be mandatory and a prerequisite for the EPOA to be valid.
- The National Register will collect personal information about EPOAs via an online form, however EPOAs made before the proposed mandatory registration requirement would be captured in the National Register as a PDF.
- Individuals and entities with a legitimate need to see a particular EPOA will be able to pay a fee to search the National Register, with different levels of access to personal information applying to different categories of users.
- Commonwealth legislation would provide for the National Register and its operation whilst state and territory legislation would mandate registration/ inclusion on the Register and provide for the recognition of registered EPOAs.
- EPOAs would continue to operate in accordance with the law of the jurisdiction in which they are executed.
1.3 The OAIC acknowledges the importance of the public interest policy objective to reduce financial abuse of older Australians through the implementation of the National Register. The right to privacy, though important, is not absolute and may be adversely impacted when there are compelling public interest reasons to do so. When designing policy and law regulating the collection, use and disclosure of personal information, it is important to ensure that any adverse impacts are minimised and an appropriate balance is struck between the public interest objective and protecting individuals’ privacy.
1.4 The OAIC provided submissions to the Discussion Paper of the 2017 Australian Law Reform Commission’s Inquiry ‘Protecting the Rights of Older Australians from Abuse’ (ALRC Inquiry), which published a final report entitled Elder Abuse: A National Legal Response (2017 ALRC report). We recommended that access to information held on a national register should be tightly controlled and monitored via access controls, including audit logs, and that the register operator consider how the register will comply with the APPs, including ensuring that personal information is handled in an open and transparent manner. In the final report, the ALRC strongly supported the approach of implementing appropriate information security safeguards and privacy controls, including minimising access to only information that is necessary and generating electronic records of access to information in the register.
1.5 The Consultation Paper contemplates that a significant volume of personal information (including sensitive information) about principals, attorneys and witnesses to an EPOA will be collected, held in the National Register and disclosed to certain third parties. Whilst the Consultation Paper does not directly consider privacy issues associated with the National Register, this proposed collection of personal and sensitive information raises a number of important privacy issues that warrant careful consideration.
1.6 It will be critical that the National Register has strong privacy safeguards built in from an early stage so that the Australian community can have trust and confidence in how their personal and sensitive information will be handled. The OAIC makes the following recommendations and comments to help ensure privacy impacts are fully considered and mitigated and to support robust and proportionate privacy protections being built into the National Register.
Part 2: Privacy by design
2.1 We recommend that AGD take a privacy by design approach to developing the legislative and policy framework for the National Register.
2.2 Taking a privacy by design approach will assist in embedding good privacy practices into the design specifications and architecture of new systems and processes so that privacy risks can be managed proactively, rather than having to retrospectively alter a product or service to address privacy issues that subsequently come to light. It is a fundamental component of effective privacy practice and involves the identification and mitigation of privacy risks at an early stage of a project.
2.3 A privacy impact assessment (PIA) is an important tool that can support a privacy by design approach. We recommend that PIAs be conducted at the appropriate times during the policy development and implementation of the National Register, noting that all government agencies are required to conduct a PIA for high privacy risk projects under the Privacy (Australian Government Agencies – Governance) APP Code 2017.
2.4 A PIA will assist with the identification of relevant information flows, associated privacy risks and mitigation strategies related to the National Register. The Consultation Paper contemplates that access to the National Register may be provided to a number of different groups. A PIA should analyse the privacy risks associated with these information flows and whether they can be appropriately mitigated. The OAIC has developed a Guide to undertaking privacy impact assessments,  as well as a Privacy Impact Assessment e-learning tool to assist APP entities undertaking a PIA.
2.5 PIAs are designed to be iterative and updated and revisited as the policy design of the National Register progresses and the relevant details and information flows are crystalised.
- A privacy by design approach be taken when developing the legislative and policy framework for the National Register.
- Privacy impact assessments be conducted at an early stage during development of the National Register to identity and mitigate privacy risks.
Part 3: The OAIC and application of the Privacy Act 1988 (Cth)
3.1 The OAIC regulates the Privacy Act 1988 (Cth) (Privacy Act), which sets out how organisations with an annual turnover of more than $3 million and most Australian Government agencies (APP entities) must collect, use and disclose individuals’ personal information.
3.2 The 13 legally binding Australian Privacy Principles (APPs) contained in the Privacy Act establish standards, rights and obligations for APP entities in relation to collection, use and disclosure, security, access to and correction of personal information. Sensitive information is generally afforded a higher level of protection under the APPs, in recognition that inappropriate handling of sensitive information can have significant adverse consequences for an individual.
3.3 The Consultation Paper provides that the National Register will collect, use and disclose information about EPOAs, including copies of EPOAs. Information contained in an EPOA, and therefore captured by the National Register, may include:
- Full names, addresses and contact details of principals, attorneys and prescribed witnesses,
- Financial powers that principals provide to their attorneys,
- Commencement time of the EPOA including when the document is signed or when a medical practitioner provides a document certifying that the principal can no longer manage their own affairs.
3.4 This information is personal information as defined in the Privacy Act. Where an EPOA commences upon medical incapacity this will also be sensitive information as it implies information about the principal’s health.
3.5 We note that the National Register will be implemented under Commonwealth legislation and operated by a Registering Authority and System Owner. If the Registering Authority and/or System Owner are APP entities, then the Privacy Act and APPs will apply to the handling of personal information contained in the National Register. The application of the Privacy Act to the National Register will ensure individuals have enforceable privacy rights in relation to the handling of their personal information by the Register and that personal information in the Register is protected from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
Part 4: Collection of personal information and data minimisation
4.1 The purpose of the National Register is to assist in determining the existence of EPOAs relating to financial matters and provide transparency about those arrangements to prevent financial abuse of older Australians.
4.2 The final proposal for the policy design of the National Register should clarify whether registration on the Register will be mandatory for all EPOAs relating to financial matters, including EPOAs made by younger Australians, or whether only EPOAs of older Australians will be caught under the mandatory registration provisions.
4.3 We recommend that the National Register only collect the minimum amount of personal information that is reasonably necessary to achieve the objectives of the Register. This requires careful consideration of each data point collected against the policy objectives of the Register, ensuring that unnecessary information is either not collected, or deleted when no longer required.
4.4 We recommend that AGD consider the privacy risks where personal information is collected but does not result in the completion and registration of an EPOA. Personal information that is not required for the purpose of the National Register should not be retained. AGD should consider the implementation of mechanisms to identify information that has been collected and stored, and prompt either completion and registration of the EPOA or trigger an automatic deletion of the personal information where it is not reasonably necessary for the objectives of the Register.
4.5 The objectives of preventing financial abuse of older Australians and sharing information about EPOAs relating to financial matters should be clearly articulated and specified in the primary Commonwealth legislation underpinning the National Register. Information that is not reasonably necessary to achieve these objectives should not be collected and stored on the National Register. This will avoid unnecessary risk that this information will be inappropriately accessed, used or disclosed.
4.6 Additionally, we recommend that the primary legislation underpinning the National Register should clearly prescribe the categories of personal and sensitive information to be collected and how information can be used and disclosed.
4.7 Consideration should be given to practical ways to ensure that unnecessary information is not collected and included on the National Register, for example, the redaction of some information from scanned hard copy EPOAs.
4.8 We recommend that AGD consider how APP 3 will apply to the collection of sensitive information from relevant parties,  giving particular consideration to whether consent will need to be obtained from individuals whose information is provided to the National Register by a third party such as attorneys and prescribed witnesses and how that consent should be obtained. 
4.9 In particular, consideration should be given to how APP 3 will apply to the collection of sensitive information from principals who have lost capacity to provide consent at the point at which a National Register (and any mandatory requirements to register) come into operation.
- The National Register adopt a data minimisation approach to ensure that only the minimum amount of personal information that is reasonably necessary to achieve the objectives of the National Register is collected.
- Consideration is given to the privacy risks where personal information is collected but ultimately not used to complete and register an EPOA. Mechanisms should be developed to identify this information and either prompt completion and registration or trigger an automatic deletion of unnecessary personal information.
- Consideration is given to procedures ensuring that only personal information relating to financial powers in EPOAs is collected by and displayed on the National Register, in accordance with the legislated objectives.
- Consideration is given to whether and how consent will need to be obtained from individuals whose personal information (including sensitive information) is provided to the National Register by a third party, including attorneys and prescribed witnesses.
- Consideration be given to the how the collection of sensitive information from principals, who have lost capacity to provide consent to the handling of their personal information at the point at which a National Register (and any mandatory registration requirements) come into force, will be authorised by the Privacy Act.
- The final proposal for the policy design of the National Register clarify whether registration on the Register will be mandatory for all EPOAs relating to financial matters, including EPOAs made by younger Australians, or whether only EPOAs of older Australians will be caught under the mandatory registration provisions.
- Commonwealth legislation underpinning the National Register have clearly articulated and specified objectives to ensure that only information that is reasonably necessary to achieve these objectives is collected.
- Commonwealth legislation underpinning the National Register prescribe the categories of personal and sensitive information to be collected and how it may be used and disclosed.
Part 5: Transparency
5.1 Any personal information in the National Register must be managed in an open and transparent manner. Individuals must be informed about how their personal information will be handled and how they can exercise their rights under the Privacy Act in the event that any of their personal information contained in the National Register is compromised.
5.3 In particular, individuals will need to be clearly informed about who will have access to their personal information, and the circumstances in which their personal information will be disclosed, once it is contained in the National Register.
5.4 In preparing the final proposal for the Register, we recommend that AGD consider how individuals whose personal information is provided to the National Register by another person (e.g. attorneys, prescribed witnesses and potentially any medical practitioners attesting to capacity) will be provided with the information required by APPs 1 and 5.
5.5 The Consultation Paper does not discuss accountability, complaint, and redress mechanisms for alleged privacy breaches. We recommend that the final proposal for the National Register include a robust accountability and oversight framework to ensure responsible and accountable personal information management.
- Consideration be given to how individuals whose personal information is provided to the National Register by another person (e.g. attorneys, prescribed witnesses and medical practitioners) will be informed about how their personal information will be handled as required by APPs 1 and 5.
- The final proposal for the National Register include a robust accountability and oversight framework.
Part 6: Disclosure of personal information
6.1 The Consultation Paper proposes six categories of individuals and entities to whom personal information related to an EPOA may be disclosed. These are:
- principals and attorneys who will have full access to EPOAs to which they are a party
- entities with a legitimate business or public interest need for real time access such as public advocates, public guardians, tribunals and courts and land titles offices
- financial institutions who would have ongoing real time access to EPOAs relevant to financial transactions they are conducting, with permission from the principal and/or attorney
- entities and individuals conducting one-off financial transactions with permission from principals and/or attorneys
- other entities and individuals with a legitimate need to access the Register and with the permission of the principal and/ or attorney
- the System Owner and Registering Authority to support the performance of their role.
6.2 The Consultation Paper specifies that access will be limited to individuals and entities with a legitimate need to see a particular EPOA in order to assist in the prevention of financial abuse of older Australians. We suggest that the proposed categories of individuals/entities with a ‘legitimate need’ should be subject to a detailed assessment of whether their access to personal and sensitive information in the register is reasonable, necessary and proportionate to this policy objective, and whether each category of individual/ entities requires access to all the information, or only a subset of the information. For example, it may be unnecessary for the personal information of witnesses contained in an EPOA to be disclosed to all categories of individuals set out in the Consultation Paper.
6.3 The Consultation Paper contemplates three options to address the issue of dual registration of EPOAs on the National Register and on state and territory land titles registers. One of the options involves a direct disclosure of EPOAs to state and territory land titles offices. We recommend that AGD consider any privacy risks in relation to this proposed data flow, noting that state and territory land titles registers do not fall within the jurisdiction of the Privacy Act, and that that not all states and territories have privacy legislation. The mechanism to prescribe a state authority or instrumentality as an organisation under section 6F of the Privacy Act should be considered in order to address any gaps in oversight.
6.4 In addition to state and territory land titles offices, some individuals and entities to whom personal and sensitive information will be disclosed – including small business operators – may not be covered by the Privacy Act. We recommend that AGD consider the risks associated with disclosing personal and sensitive information to third parties who are not subject to any privacy requirements.
6.5 We recommend that consideration be given to requiring these entities to opt-in to coverage under the Privacy Act to the extent that they handle information disclosed from the Register. A further option that warrants consideration is prescribing recipients of information from the Register as an organisation under section 6E(1) of the Privacy Act.
6.6 Consideration could also be given to other mechanisms, noting their limitations, to extend privacy obligations to third parties, such as through the inclusion of contractual privacy provisions in the terms and conditions that third parties are required to accept when interacting with and searching the Register and enforceability mechanisms.
6.7 Generally, personal information contained in the National Register should only be used or disclosed with the consent of the individual to whom the information relates. This threshold is higher in relation to use and disclosure of sensitive information. Consent is not required if there is a law requiring or authorising the relevant disclosure of personal information. 
6.8 In developing the final proposal for the National Register, AGD should consider how information will be disclosed to individuals and entities with a legitimate need in accordance with APP 6. The final proposal should clarify whether consent will be required for disclosure to each of the contemplated categories of individuals and entities or whether legislation will authorise such disclosures. If legislation is used to authorise disclosure, we recommend that the purposes of disclosure and the individuals and entities to whom information can be disclosed should be clearly and narrowly prescribed in the primary legislation underpinning the National Register.
6.9 We note that the Consultation Paper seeks feedback on any circumstances in which access should be provided without the consent of the attorney or principal to whom the EPOA relates. Consideration should be given to how the privacy of individuals will be balanced with the policy objective of protecting older Australians from financial abuse in situations where consent cannot be obtained, such as where the principal does not have capacity to consent and their attorney refuses to grant permission as part of their financial abuse of the principle.
- AGD consider the risks associated with disclosing personal and sensitive information to third parties who are not subject to any privacy requirements.
- AGD consider options to extend privacy protections to personal information contained in the National Register where it is disclosed to entities who are not subject to privacy laws. This should include consideration of the option to prescribe a state authority or instrumentality as an organisation under section 6F of the Privacy Act, as well as the mechanisms in sections 6EA and 6E.
- AGD determine whether consent will be required for disclosure of information from the National Register or whether legislation will authorise such disclosures.
- If legislation will be used to authorise disclosures of personal information from the Register, primary legislation underpinning the National Register should clearly and narrowly prescribe:
- the purposes of disclosure of personal and sensitive information
- the individuals and entities to whom such information can be disclosed.
Part 7: Security, quality, access and correction of personal information
7.1 The Consultation Paper gives limited consideration to the security framework that will support the National Register and ensure compliance with APP 11.
7.2 We recommend that consideration be given to the implementation of strong security measures to protect personal information in the National Register. This includes building in privacy by design into the development of the digital infrastructure and its implementation. For example, regular testing of software underpinning the Register can assist in identifying and resolving any flaws that can lead to privacy breaches. Similarly, the use of audit logs to maintain a record of system activities relating to the Register can assist in detecting and investigating any privacy incidents that may occur. Systems for notifying parties when their information is accessed should also be considered, such as SMS notifications. A PIA would assist in informing the relevant security risks and identifying steps for managing, minimising or eliminating those risks.
7.3 We seek to reiterate comments made in our submission to the ALRC Inquiry and emphasise that access to the National Register should be restricted, tightly controlled, and monitored. Access controls should ensure that only authorised people – such as the Registering Authority, the System Owner and their employees – are able to access the information which they need in order to fulfil their specific functions or duties. Any access to the Register by state and territory entities, such as land titles offices, public guardians and trustees, should be subject to the completion of appropriate, tailored training to ensure that entities comply with a data minimisation approach and are only able to access or extract information that is necessary. This will mitigate against the risk of inappropriate access to personal information, such as unrestricted browsing of the Register, as well as against misuse, interference, loss, unauthorised access, modification or disclosure.
7.4 The entity responsible for the National Register will likely also have obligations under the Notifiable Data Breach (NBD) scheme to notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. The National Register will need to have in place appropriate mechanisms to support compliance with the NBD scheme and to enable affected individuals whose personal information has been compromised in a data breach to take remedial steps to minimise the adverse impacts that may arise from the breach.
7.5 We note that the National Register will have a System Owner and a Registering Authority who will have access to the Register. We recommend that consideration be given to the privacy and security credentials of the System Owner and the Registering Authoring, including ensuring appropriate governance arrangements are in place between the two.
7.6 Given the sensitivity of information being collected and the purpose of reducing financial abuse of older Australians, we recommend that AGD give due consideration to the appropriate location for the storage of all personal information held by the National Register. The 2020 Australian Community Attitudes to Privacy Survey reveals that three quarters of Australians consider an organisation sending consumers’ data to an overseas processing centre to be a misuse of personal information. Forty-one percent of Australians believe that sending information overseas is one of the biggest privacy risks people face today, and fifty-six percent are very concerned about their personal information being sent overseas. Importantly, older Australians are most likely to be concerned about the overseas disclosure of personal information.
7.7 Noting the sensitivity of the information involved, and in line with these Australian community expectations and concerns, we recommend that consideration be given to requiring this information be stored in Australia.
7.8 Consideration should also be given as to what processes and procedures can be implemented to ensure that information is deleted from the Register once it is no longer required, such as any EPOAs that have been superseded by new EPOAs. This might involve the deletion of information collected during the earlier phases of EPOA development, particularly in circumstances where engagement in those earlier phases did not result in a completed and registered EPOA.
7.9 APP 10 requires an entity to take reasonable steps to ensure that the personal information that the entity collects is accurate, up-to-date and complete. As the possible adverse consequences for an individual whose personal information is not accurately detailed in the Register may be significant – for example, a financial institution may incorrectly approve a financial transaction disadvantaging the principal – reasonable steps will be required of the entity maintaining the National Register to ensure the ongoing quality of that information. We recommend that consideration be given to what steps should be taken to ensure the quality of personal information, such as the implementation of internal practices, procedures and systems to audit, monitor, identify and correct poor quality personal information. Automatic notifications could be built into the Register to remind individuals to update their personal information each time that their EPOA is accessed.
7.10 APPs 12 and 13 require an entity to give individuals access to, and request correction of, their personal information held by that entity. In developing the final proposal for the National Register, AGD should consider how the National Register will comply with these access and correction requirements whilst maintaining the integrity of these important documents. For example, a mechanism should be implemented to allow witnesses’ whose information is stored in an EPOA to request access to and correction of their information.
7.11 We note that the Consultation Paper provides that the National Register will enable individuals to apply to revoke an existing EPOA online and for attorneys to apply to resign their roles. We recommend that AGD contemplate how the design of these processes will interact with the requirements of APPs 12 and 13.
- Appropriate security measures be implemented to protect personal information in the National Register from misuse, interference, loss, unauthorised access, modification or disclosure.
- Access to the National Register be restricted, tightly controlled, and monitored.
- The National Register will need to have in place appropriate mechanisms to support compliance with the NBD scheme.
- Careful consideration be given to the privacy and security credentials of the System Owner and Registering Authority, ensuring appropriate governance arrangements are in place between the two.
- Noting the sensitivity of the information involved, and in line with Australian community expectations and concerns, consideration be given to requiring that this information be stored in Australia.
- Relevant processes and procedures should be implemented to ensure that information which is no longer reasonably necessary to be held is deleted from the Register.
- Consideration should be given to what reasonable steps should be taken to ensure the quality of personal information contained in the National Register is maintained.
- Consideration should be given to how the process permitting revocation or resignation of an EPOA will interact with APPs 12 and 13.
7.12 The OAIC looks forward to continuing engagement with AGD to ensure important privacy safeguards are considered during the policy development of the National Register. We are available to be consulted in relation to Privacy Impact Assessments and any specific privacy issues that arise as this policy proposal is further developed.
7.13 If you would like to discuss these comments or have any questions, please contact the OAIC.
 ALRC report ‘Elder Abuse: A National Legal Response’ 2017, page 194-195.
 The Privacy Act 1988 (Cth) s 6(1) defines:
Personal information as ‘‘information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information is recorded in a material form or not’.
Sensitive information as “information or an opinion about an individual’s racial or ethnic origin, political opinions or membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices or criminal record, as well health information, genetic information, biometric information and biometric templates.”
 APPs 3, 4 and 5.
 APPs 6, 7, 8 and 9.
 APP 11.
 APPs 12 and 13.
 Consultation Paper page 8.
 Consultation Paper page 9.
 Consultation Paper page 11.
 See note 1 above and section 6(1) of the Privacy Act.
 Consultation Paper pages 4-5.
 APP 3.1.
 APP 3.3.
 APP 3.6 provides that an agency may only collect personal information about an individual from the individual unless the individual consents to the collection of their information from someone other than the individual or where collection is required or authorised by or under an Australian law.
 APP 3.4 contains a number of exceptions to the need to obtain consent from an individual to collect their sensitive information, including where collection is required or authorised by or under an Australian law.
 APP 1.1 sets out the principle that APP entities must manage personal information in an open and transparent way.
 APP 1.3.
 Consultation Paper, page 6-7.
 Consultation Paper pages 6-7.
 Consultation Paper pages 11-12.
 See sections 6EA and 6F of the Privacy Act.
 APP 6.1 requires that APP entities only use or disclose an individual’s personal information for the particular purpose (primary purpose) for which it was collected and not use or disclose the information for a secondary purpose without the individual’s consent or unless an exception in APP 6.2 or 6.3 applies.
 APP 6.2(a) requires that sensitive information only be disclosed where an individual would reasonably expect the use and disclosure of their sensitive information for the secondary purpose that it is being used or disclosed for and where this secondary purpose is directly related to the primary purpose of collection.
 The exception under APP 6.2(b) permits disclosure without consent where disclosure is required or authorised by or under an Australian law or a court/tribunal order.
 APP 11 requires an entity to take reasonable steps to ensure the security of the personal information that it holds from misuse, interference, loss, unauthorised access, modification or disclosure, and to actively consider whether it is permitted to retain personal information.
 The OAIC’s Guide to Securing Personal Information provides guidance on the reasonable steps entities should take to protect personal information in compliance with their APP 11 obligations.
 Privacy Act Part IIC.
 Australian Community Attitudes to Privacy Survey, published September 2020, page 39, https://www.oaic.gov.au/assets/engage-with-us/research/acaps-2020/Australian-Community-Attitudes-to-Privacy-Survey-2020.pdf.
 APP 11.2.
 APP Guidelines paragraph 10.6.