Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Consideration of application for a Public Interest Determination -UnitingCare Wesley Adelaide: Consultation Paper

(PDF)

Closing date for comment Friday 25 November 2011

Purpose

The Australian Privacy Commissioner has received an application from UnitingCare Wesley Adelaide for a Public Interest Determination (PID) under s 73 of the Privacy Act 1988 (Cth) (the Privacy Act). The application concerns the disclosure and collection of personal information without consent in limited and specific circumstances, to improve outcomes for children and young people at risk of serious harm.

The application has been sought to enable implementation of the South Australian Information Sharing Guidelines for Promoting the Safety and Wellbeing of Children (SA Government 2008) (the ISG). These guidelines aim to improve early intervention outcomes by providing a consistent and structured framework for service coordination.

The OAIC has issued this paper to assist interested parties in preparing comments as part of the Australian Privacy Commissioner's consideration of the application and the making of a determination.

This Consultation Paper, the application and draft determinations are available from the OAIC's web site at http://www.oaic.gov.au/ or in hard copy on request.

How to make comments

The Australian Privacy Commissioner invites your comments on the issues raised by the application and the scope and nature of the draft determinations. The closing date for comment is 25 November 2011.

Submissions can be made to consultation@oaic.gov.au or GPO Box 5218 Sydney NSW 2001.

While submissions may be lodged electronically or by post, electronic lodgment is preferred. It would also be appreciated if your submission could be provided to us in a web accessible format or alternatively in a format that would allow us to easily convert to HTML code eg; Rich Text Format (.rtf) or Microsoft Word (.doc).

Note: The OAIC intends to make all submissions publicly available.  Please indicate when making your submission if your submission contains confidential information which you do not wish to make public. Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982 (Cth).

Privacy collection statement

The OAIC will use the personal information it collects in the course of this consultation only for the purpose of considering the making of a PID.

 

Background and legislation overview

Provisions for Public Interest Determinations

In limited circumstances, the Privacy Act enables the Australian Privacy Commissioner to examine a matter and, if appropriate, to issue a PID that permits certain activities that may otherwise breach a National Privacy Principle (NPP).

The Australian Privacy Commissioner may make a PID under s 72 of the Privacy Act by declaring that a specific act or practice of the organisation will not be in breach of the NPPs, where they are satisfied that the public interest in doing so substantially outweighs the public interest in adhering to the NPP in question.

Where a PID is issued the Australian Privacy Commissioner may also decide to issue a determination under s 72(4) of the Privacy Act giving general effect to the PID. A generalising determination has the effect of permitting other organisations (not just the applicant) to undertake the act or practice that is the subject of the PID, without breaching the Privacy Act.

Information Sharing Guidelines for Promoting the Safety and Wellbeing of Children

The ISG were endorsed by the Cabinet of the South Australian Government in October 2008 for implementation in South Australia.

The ISG and background information can be found in the booklet Information Sharing Guidelines for promoting the safety and wellbeing of children, young people and their families produced by the South Australian Office of the Guardian for Children and Young People.[1] The Office of the Guardian is responsible for coordinating and monitoring implementation of the ISG and reporting on any systemic issues.

The ISG are overarching principles and practice for all relevant South Australian government agencies and non-government organisations that support children, young people and their families. Through providing a consistent and structured framework for information sharing the ISG are intended to support a preventative and early intervention approach in situations that threaten the safety of children and young people, and ensure that actions taken on their behalf are based on the fullest understanding of their circumstances.

Organisations implementing the ISG are required to develop an appendix detailing how the ISG will be applied in their organisation. Appendices form an attachment to the ISG and contain information about the organisation, case studies and resources to ensure employees and volunteers understand how to appropriately share information under the ISG in the context of their own work environment. The Office of the Guardian has produced guidance to assist organisations in drafting an appendix and encourages organisations to consult the Office of the Guardian in developing an appendix.[2]

The ISG promotes and advocates the value of gaining informed consent for information sharing at the earliest possible point in an individual's engagement with a service and on an ongoing basis. Where gaining consent is not possible or would increase the risk of harm, the ISG clarifies circumstances where it is appropriate to share information without consent and guides service providers in how this should be done.

The ISG does not require disclosure of information, but provides the framework for such disclosure to occur in appropriate circumstances. Providers are not compelled to share information where consent has not been given, if they do not consider that there is a legitimate purpose for information sharing or if they disagree with the assessment of risk.

 

Application for a Public Interest Determination

On 7 October 2011, the Australian Privacy Commissioner received an application from UnitingCare Wesley Adelaide, the applicant, for a PID under s 73 of the Privacy Act. The applicant is an 'organisation' for the purposes of s 6C of the Privacy Act.

The application has been sought to enable implementation of the ISG. The application indicates a concern that, in the absence of a PID, the applicant will be unable to share personal information without consent in accordance with the ISG where children and young people are at risk of significant harm.

Two NPPs were raised in the application: NPP 2.1 and NPP 10.1.

  • NPP2.1 governs the use and disclosure of personal information and states that an organisation may only use or disclose personal information for the purpose for which it was collected unless a prescribed exception applies.
  • NPP10.1 concerns the collection of 'sensitive information'. Sensitive information is defined in s6 of the Privacy Act to include 'health information'. NPP10.1 prohibits organisations from collecting sensitive information unless a prescribed exception applies.

In applying for a PID, the applicant asserted that the potential of the ISG to impact on effective early intervention through improved service coordination and collaboration between government agencies and non-government organisations is significant. It was submitted that it is not possible to undertake effective early intervention work if organisations are required to wait for a serious risk of harm to be imminent before information can be shared. The cost of failing to intervene early to support individuals and families at risk are substantial. Successful early intervention will reduce costs to government and is in the public interest.

Disclosure

The applicant has sought an exemption from complying with NPP 2.1. There may be some limited circumstances in which the applicant would be unable to rely on the exceptions to NPP 2.1 to disclose information in accordance with the information sharing arrangements outlined in the ISG.

While the ISG approaches information sharing from the position of seeking informed consent, it is submitted by the applicant that gaining consent to the disclosure may increase the risk of harm to a child or young person or is not possible in all circumstances. The applicant is therefore unable to rely on NPP 2.1(b) to disclose the information under the ISG where the individual has not consented to the disclosure.

Personal information can be disclosed without consent under NPP 2.1(e) where:

"the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual's life, health or safety;" (emphasis added)

The applicant has identified that they are unable to rely on NPP 2.1(e) to make disclosures under the ISG where there is a serious, but not imminent, threat to a person's life, health or safety. Insofar as the word "imminent"; is generally understood to mean "immediate".

The main inconsistency between the circumstances in which information can be disclosed under the ISG and the Privacy Act, is that the ISG does not require serious threats to an individual to be imminent before a disclosure is made without consent, whilst NPP 2.1(e) requires that this threat must also be imminent.

The applicant has submitted that while a child or young person may not be at risk of immediate harm it may be clear from the circumstances that there are reasonable grounds to believe that they are at risk of serious harm. The applicant considers that information sharing in these circumstances is necessary to enable effective and appropriate early intervention to occur to alleviate the potential for the serious harm to occur.

The Australian Government in its response to the Australian Law Reform Commission's Report 108 into Privacy has indicated that it will remove the requirement for "imminence"; in relation to disclosures as part of the major reform to the Privacy Act.[3] The response proposes that agencies and organisations should be permitted to use or disclose personal information where necessary to lessen or prevent a serious threat to an individual's life, health or safety only after consent has first been sought, where that is reasonable and practicable.

Additionally, in May 2008 the Privacy Committee of South Australia granted an exemption from the South Australian Information Privacy Principle 10(b) to South Australian government agencies that are required to observe the ISG.[4] The South Australian Information Privacy Principles form a Cabinet Instruction applying to South Australian government agencies and regulate the way they collect, use, store and disclose personal information.[5] Prior to this exemption, Principle 10(b) stated that an agency should not disclose personal information unless:

"the person disclosing the information believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the record subject or of some other person;"(emphasis added)

The exemption effectively removed the words 'and imminent'; from Principle 10(b) and authorises the disclosure of personal information without the consent of the individual where the person disclosing the personal information does not have or has no reasonable grounds to believe that a threat to the life or health of a person who is under 18 years of age is imminent.

Collection

Additionally, the applicant has sought an exemption in relation to NPP 10 due to service delivery events where it would place a child or young person at risk to seek consent to collect certain types of sensitive information.

Under NPP 10.1, an organisation must not collect 'sensitive information' about an individual unless the individual has consented or a listed exception applies. For the purposes of the Privacy Act, 'sensitive information' includes health information (s 6, Privacy Act).

As part of participating in the information sharing arrangements under the ISG, it may be necessary for the applicant to collect sensitive information without consent where it has been disclosed without consent. It is suggested that where it is inappropriate to seek consent to the disclosure of the personal information as to do so would place a child or young person at risk of harm, it would also be inappropriate to seek consent to the collection of this information.

It does not appear that the circumstances detailed in the application would allow the applicant to rely on any other exception to enable sensitive personal information to be collected where it has been disclosed without consent in accordance with the ISG.

 

Preliminary View

Subject to the result of this consultation, the OAIC proposes that the determination atAttachment Aand the generalising determination atAttachment Bwould be made for a period of 5 years.

The central public interest objective being served by the proposed determinations is the provision of quality human services and ultimately improved child protection outcomes.

The right to privacy is not absolute and in some circumstances, privacy rights will necessarily give way where there is a compelling public interest reason to do so. In these instances, it is necessary to ensure that the solution implemented minimises the intrusion to the fullest extent possible in the circumstances. In making the determination it is important to get the balance right between protecting individual privacy and providing effective health, safety and welfare services to all Australians.

In instances where consent has not been obtained from the individual for the sharing of their personal information, the proposed determinations would permit the disclosure and subsequent collection of the personal information in accordance with the framework for information sharing in the ISG.

In making the disclosure the applicant must reasonably believe that disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of a child or young person up to the age of 18 years. The applicant will need to have reasonable grounds for its belief that the disclosure is necessary and that the threat is "serious" according to the ordinary meaning of the word and in the context of any vulnerabilities of the individual concerned.

In all other respects the privacy protection standards in the NPPs will continue to apply. In particular, regarding the collection of personal information, NPP 1.1 provides that an organisation 'must not collect personal information unless the information is necessary for one or more of its functions or activities'. Further, NPP 3 provides that an 'organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date'.

Security of personal information is an important element of privacy practice. NPP 4.1 provides thatan organisation 'must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure'.

Submissions

The Australian Privacy Commissioner invites your comments on the issues raised by the application and the scope and nature of the draft determination.

The Australian Privacy Commissioner strongly supports initiatives that aim to protect those experiencing serious threats to their life health or safety and to better support those adversely affected by these circumstances. However, the sensitivity of personal information related to these matters and the potential for an individual to be stigmatised, embarrassed or discriminated against as a result of the disclosure or inappropriate sharing of this information is also recognised. The challenge is to ensure that initiatives contain appropriate privacy safeguards regarding the handling of an individual's personal information, while enabling the necessary information sharing to provide strong protection against harm.

Submissions could usefully address these matters, including:

  • the potential for the proposed act or practice to harm the interests of individuals
  • the extent to which the proposed act or practice is inconsistent with an individual's reasonable expectation of privacy
  • the nature of the public interest objectives served by the proposed interference with privacy
  • the need to balance the competing interests contained in s29 of the Privacy Act and
  • the impact on the public interest if the proposed act or practice is not permitted.

The Australian Privacy Commissioner would also welcome comments on the appropriateness of making a determination that gives general effect to the PID. That is, to allow other organisations that have implemented and complied with the ISG to perform the permitted act or practice in the same circumstances as the applicant.

Expressions of interest for a conference on draft determinations

Under ss 75 and 76 of the Privacy Act, the Australian Privacy Commissioner is required, if requested, to hold a conference on a draft determination made in response to an application for a PID.

Accordingly, interested parties are invited to consider whether they wish to request a conference to discuss the draft determinations. If you consider that a conference should be held please advise the OAIC by 25 November 2011 via consultation@oaic.gov.au or GPO Box 5218 Sydney NSW 2001.

If held, the conference must take place within 30 days after the last day on which interested parties can make a request for a conference. It is proposed that if a conference is requested, it will take place in Adelaide in the week commencing 5 December 2011.

If no request for a conference is received the Australian Privacy Commissioner will proceed to make the determination in accordance with the Privacy Act.


 

Attachment A

Privacy Act 1988 Part VI - Public Interest Determination No. X

Disclosure and collection of personal information to improve outcomes for children and young people at risk of serious harm

-------------------------------------------------------------------------------------------

In relation to National Privacy Principles 2.1 and 10.1

Effective: [Date] to [Date] inclusive

Under s 72(2) of the Privacy Act 1988 (the Privacy Act), I, Timothy Pilgrim, Australian Privacy Commissioner, determine that I am satisfied of the following: (1) UnitingCare Wesley Adelaide Inc. (the applicant) is an 'organisation' for the purposes of s6C of the Privacy Act. The applicant has applied under s73 of the Privacy Act for a Public Interest Determination in relation to the acts and practices set out in (2) and (3) below.

(2) The disclosure of personal information about an individual breaches or may breach National Privacy Principle 2.1, in circumstances where:

a) the applicant has not sought consent to the disclosure of personal information as the applicant holds a reasonable belief that to do so would place a child, young person or adult at increased risk of harm, and

b) the applicant has a reasonable belief that the disclosure is necessary to lessen or prevent a serious but not imminent threat to the life, health or safety of a child or young person up to the age of 18 years, and

c) the disclosure of personal information is in accordance with the Information Sharing Guidelines for promoting the safety and wellbeing of children, young people and their families (Government of South Australia 2008) (the ISG).

(3) The collection of personal information about an individual breaches or may breach National Privacy Principle 10.1, in circumstances where:

(a) sensitive personal information is disclosed to the applicant in accordance with the ISG, and

(b) the applicant does not obtain consent for the collection of personal information.

(4) The public interest in the applicant doing the acts, or engaging in the practices, set out in (2) and (3) above substantially outweighs the public interest in adhering to National Privacy Principle 2.1 or National Privacy Principle 10.1.

Accordingly, subject to paragraph (5), by operation of s 72(3) of the Privacy Act the applicant is taken not to contravene s 16A of the Privacy Act if the applicant engages in the acts and practices set out in paragraphs (2) and (3) above, during the period from [Date] to [Date] inclusive. 

(5) The application of this determination is conditional upon the implementation of, and compliance with, the ISG including the completion of an organisation specific appendix outlining the applicant's protocols for sharing information in accordance with the requirements of the ISG.



Timothy Pilgrim
Australian Privacy Commissioner

[Date]


 

Attachment B

Privacy Act 1988 Part VI - Public Interest Determination No. XA

Disclosure and collection of personal information to improve outcomes for children and young people at risk of serious harm 

---------------------------------------------------------------

In relation to National Privacy Principles 2.1 and 10.1

Effective:  [Date] to [Date] inclusive

Under s 72(4) of the Privacy Act 1988 (the Privacy Act), I, Timothy Pilgrim, Australian Privacy Commissioner, make the following generalising determination:

  • (1) No organisation that has implemented and complied with the Information Sharing Guidelines for promoting the safety and wellbeing of children, young people and their families (Government of South Australia 2008) (the ISG) is taken to contravene s16A of the Privacy Act while Public Interest Determination No. X (PID X) is in force, if the organisation does an act, or engages in a practice, that is the subject of PID X.

Implementation of the ISG includes the completion of an organisation specific appendix outlining the organisation's protocols for sharing information in accordance with the requirements of the ISG.



Timothy Pilgrim
Australian Privacy Commissioner

[Date]


[1] See www.gcyp.sa.gov.au/information-sharing-guidelines/

[2] See A guide to writing an ISG appendix available at www.gcyp.sa.gov.au/information-sharing-guidelines/

[3] See Recommendation 25-3 of ‘Enhancing National Privacy Protection', Australian Government First State Response to the Australian Law Reform Commission Report 108 For Your Information:  Australian Privacy Law and Practice, October 2009.  Available at:  www.dpmc.gov.au/privacy/alrc_docs/stage1_aus_govt_response.doc

[4] Terry Ryan, Presiding Member Privacy Committee of South Australia, 2 May 2008.

[5] Government of South Australia (1989, amended 1992) Cabinet Administration Instruction No 1 of 1989. Premier and Cabinet Circular 12, Government of SA