• Specific Year
    Any

Gunning, Patrick --- "Central features of Australia's private sector privacy law" [2001] PrivLawPRpr 16; (2001) 7(10) Privacy Law and Policy Reporter 189


Central features of Australia’s private sector privacy law

Patrick Gunning

In late December 2000 the Australian Parliament enacted the Privacy Amendment (Private Sector) Act 2000 (Cth) (the Act), which is due to commence on 21 December 2001. This legislation introduces data protection regulation of all private sector organisations, whereas previous laws were restricted to certain sectors of the economy (chiefly the consumer credit[1] and telecommunications[2] sectors). The legislation contains several important exemptions. Most strikingly, ‘small business operators’ are exempted from regulation unless they voluntarily elect to be subject to the Act.[3] On the Federal Government’s own figures this will exempt about 94 per cent of all Australian businesses from the Act.[4] However, the Government believes that the remaining 6 per cent of Australian businesses are responsible for approximately 70 per cent of total sales made by Australian businesses.[5]

Even though the number of Australian businesses likely to be affected by the legislation is small, many of those organisations are likely to have substantial collections of information about individuals, and in the next 12 months they will need to consider the potential impact of the regulation on their business and take steps to ensure they are compliant.

Like the data protection laws of other countries in the region (such as New Zealand and Hong Kong) and those of the EU countries, the fundamental concepts of Australia’s Privacy Act 1988 are drawn from the 1980 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.[6] This means that Australia has much to learn from these other countries about the implementation and interpretation of data protection principles. As Australia’s existing privacy legislation has not generated many court decisions[7], the experience in other jurisdictions on common issues will be instructive when interpreting the new Australian law.

There are some central features of the Act which determine the scope of the obligations imposed on organisations whose activities are not exempted from the Act altogether.

Personal information

All of the substantive principles in the Act apply to ‘personal information’, so this concept is at the heart of the legislation. The term is defined to mean ‘information or an opinion ... about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’.[8]

The New Zealand definition is in similar terms: ‘information about an identifiable individual.’[9] The European Directive’s definition of ‘personal data’ is also comparable: ‘any information relating to an identified or identifiable natural person.’ In Hong Kong the concept is similar, but with some additional qualifications: the individual must be living; the information must be represented in a ‘document’; and it must be in a form in which access to or processing of the document is practicable.[10] Canada’s definition is different in that it specifically provides that ‘the name, title or business address or telephone number of an employee of an organisation’ is not ‘personal information’.[11]

In interpreting ‘personal information’ courts may look to similar concepts found in other laws. Prior to 1991, the Commonwealth Freedom of Information Act 1982 allowed government agencies to refuse access to documents concerning the ‘personal affairs’ of individuals. A similar exemption exists under the NSW freedom of information legislation. A leading case on the meaning of ‘personal affairs’ in a freedom of information context is the decision of the NSW Court of Appeal in Commissioner of Police v District Court of NSW (Perrin’s case).[12] This case held that the NSW Commissioner of Police could not refuse access to documents on the basis that the documents contained the names of various police officers. Kirby P’s reasoning has been regularly followed. His Honour held that information must be ‘personal to the individual concerned’ for the ‘personal affairs’ exemption to apply. Accordingly,

it cannot properly be said that the disclosure of the names of police officers and employees involved in the preparation of reports within the New South Wales police can be classified as disclosing information concerning their personal affairs. The preparation of the reports apparently occurred in the course of the performance of their police duties. What would then be disclosed is no more than the identity of officers and employees of an agency performing such duties. As such, there would appear to be nothing personal to the officers concerned. Nor should there be. It is quite different if personnel records, private relationships, health reports of (perhaps) private addresses would be disclosed. Such information would attract the exemption.[13]

This conclusion was reached because it was ‘abundantly clear that one object of the [Freedom of Information] Act was to breach the wall of the anonymity of public servants’.

The Commonwealth Freedom of Information Act was amended in 1991 to substitute ‘personal information’ for ‘personal affairs’.[14] I am aware of only one Federal Court decision which has considered the meaning of ‘personal information’ in the context of the freedom of information legislation. That case is Siddha Yoga Foundation Ltd v Strang and Department of Immigration and Ethnic Affairs, an appeal from a decision of the Administrative Appeal Tribunal (AAT).[15] The case concerned an application for documents held by the Department of Immigration relating to a former leader of the Siddha Yoga sect. The Siddha Yoga Foundation was joined as a party to the case and argued in the Federal Court that three documents were exempt under s 41 of the Freedom of Information Act because they contained ‘personal information’ and the disclosure of that information would be unreasonable. The documents were:

  • a letter to the Minister of Immigration dated 3 October 1989 signed by Mr Ross, the executive director of the Foundation, ‘for and on behalf of’ the board of directors, whose names were listed, the purpose of which was to persuade the Minister to refuse a visa;
  • a one page letter dated 14 November 1991 from the Foundation’s solicitors to the Department of Immigration referring to the first letter and repeating some of the assertions made in the first letter; and
  • a fax dated 14 November 1991 to the Australian High Commissioner in New Delhi from the Foundation. The fax consisted of a cover sheet on which the name of an employee of the Foundation appeared, and enclosed a copy of the solicitors’ letter to the Department of 14 November 1991.

The relevant part of the AAT’s decision was as follows:

The documents in question contain nothing more about their individual authors than their names and positions within the foundation. For information to be ‘personal information’ as that term is defined in s 4 of the Act, there must be some information or an opinion about an identified person. There is certainly no opinion about the authors of the documents contained in the documents. I consider that for information to be ‘personal information’ about an individual it would usually need to be more than that person’s name. I acknowledge that the identity of a person who conveyed information could be ‘personal information’ about the person in circumstances similar to those in G v Day [1982] 1 NSWLR 24 and D v National Society for the Prevention of Cruelty to Children [1977] UKHL 1; [1978] AC 171. But this matter is distinguishable from those cases because the individuals who wrote the letters did so on behalf of the foundation, rather than as individuals. I doubt if their names are ‘personal information’.



If those names or a person’s position within the foundation are ‘personal information’ about that person, then I am satisfied that it would not be unreasonable to disclose that information in this matter. There is no evidence that the individuals who wrote or signed the letters are likely to suffer prejudice from the disclosure of their names and positions.[16]

Jenkinson J found no error in this approach. His Honour held, in respect of the original letter of 3 October 1989 that:

the fact that one of [the directors] signed and all of them authorised the communication of the letter to the Minister could not in my opinion be personal information about any of them. As the Tribunal pointed out those acts were done in exercise of their directorial function for and in the name of the Foundation.[17]

In relation to the solicitors’ letter of 14 November 1991, his Honour said:

The name of the member of the firm of solicitors who wrote [the letter] was not personal information about her ... That she was a member of the firm was information available to the public from the Law Institute of Victoria and she communicated the letter to the respondent Department for and in the name of her firm.[18]

Finally, as to the third document, the fax to the Australian High Commission in New Delhi, Jenkinson J held that:

It seems that the signatory was an employee of the applicant. The fact of employment, the identity of the employer, the kind of work to which the employment relates and the place of employment may constitute personal information about a person. The Tribunal did not express a concluded view as to whether disclosure of the information about this signatory ... would involve disclosure of ‘personal information’ about her within the meaning of that expression. The Tribunal rested its decision ... on the conclusion that the disclosure would not involve unreasonable disclosure. ... The conclusion was in my opinion open to the Tribunal and not vitiated by an error of law.[19]

It seems to me that the approach taken by Jenkinson J to the first two documents is at odds with his approach to the third. If it is right that ‘the fact of employment, the identity of the employer, the kind of work to which the employment relates and the place of employment’ may be ‘personal information’, why were the names of the signatories to the first two letters not ‘personal information’? Surely the fax to the High Commission in New Delhi was sent for and on behalf of the Foundation (just as the first document was signed by Mr Ross for and on behalf of the Foundation, and the solicitors’ letter was sent for and in the name of the firm of solicitors).

Jenkinson J appears to have attributed significance to the fact that it would be possible to associate the authors of the first two letters with the Foundation or the firm of solicitors by reference to publicly available information (a company extract to identify the directors or the Law Institute’s register to identify the solicitor), whereas there was no such way to associate the name of the signatory to the fax with the Foundation. This distinction ought to be irrelevant to determining whether information is ‘personal information’. The mere fact that information is notorious or publicly available does not mean that it is no longer ‘personal information’. For example, it is well known that the present Prime Minister of Australia is a cricket enthusiast. That is clearly information about an individual whose identity can reasonably be ascertained, and hence ‘personal information’. However, the fact that such information is publicly available should mean that disclosing documents which contain that information would not involve an unreasonable disclosure.

Unfortunately Jenkinson J’s decision means that it is unclear whether information about employees or officers of organisations will be ‘personal information’.[20] Further, although the definition of ‘personal information’ is the same in both the Freedom of Information Act and the Privacy Act, the policy objectives of each Act are quite different. For this reason I believe that the freedom of information cases examining the meaning of ‘personal information’ and ‘personal affairs’ should not automatically be applied in cases arising under the Privacy Act.

Against this background, it may be of assistance to consider decisions made by courts in other countries with legislation comparable to the Privacy Act. However, there are surprisingly few decisions by courts in countries with comparable regulations which have examined the concept of ‘personal information’ or ‘personal data’.

The English Court of Appeal has made the obvious point that anonymous data is not ‘personal data’.[21]

In Hong Kong, the Court of Appeal held in Eastweek Publisher Ltd v Privacy Commissioner [2000] 1 HKC 692 that a photograph of an individual can be ‘personal data’ — it is a pictorial represent-ation of information about a person’s physical features and appearance.

In New Zealand, Tipping J in the Court of Appeal (with whom Elias CJ and Thomas J agreed) made some obiter remarks on the proper approach to understanding the concept of ‘personal information’ in the case of Harder v Proceedings Commissioner [2000] NZCA 129; [2000] 3 NZLR 80. In that case the defendant, Mr Harder, was a barrister who was representing a man charged with breaching a non-violence order. The order protected Ms C, who was a former partner of Mr Harder’s client. The information which was the subject of the decision consisted of recordings of two telephone conversations between Ms C and Mr Harder which were made by Mr Harder without Ms C’s knowledge. In the first conversation Ms C put a settlement proposal to Mr Harder (offering to request the police to drop the charges if Mr Harder’s client paid an outstanding debt). Mr Harder said that he would speak to his client and asked Ms C to telephone again in a few days time. Ms C did so (this was the second taped conversation). During the second conversation Mr Harder asked Ms C a series of questions, but there was little evidence as to what those questions were — the most that can be gleaned from the report of the case is that some of the questions concerned whether Ms C was in possession of various goods. It appears that it was not until the case reached the Court of Appeal that there was any consideration given to the question of whether the tape recordings contained ‘personal information’. Although it was not necessary to decide the question (because the Court held that there was no breach of the Act even assuming that the information was ‘personal information’), Tipping J (for the majority) made the following remarks:

An unqualified approach to what constitutes ‘information about an identifiable individual’ will lead readily to breaches of one or more of the information privacy principles. ... [The provisions of s 14(a)] require the Commissioner, and implicitly others involved in the administration of the Act, to have due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of the free flow of information and the recognition of the right of government and business to achieve their objectives in an efficient way. Those concepts are thus relevant to the scope of the definition of personal information ...[22]

In the context of the case, Tipping J ventured the opinion that:

The only way the first conversation could involve information about Ms C would be to say it constituted information about her attitude to the way the differences between herself and her former partner might be resolved. The same can be said of the second conversation. It seems strained to suggest that Ms C’s denial of possession of certain unspecified chattels is information about her for privacy purposes. It would be surprising if Parliament intended the Act to have such an unrestrained reach.[23]

However, Tipping J conceded that the case did not turn on this point, so the meaning of ‘personal information’ would remain open for determination when it directly arises. Gault J was not convinced by Tipping J’s reasoning:

I am ... reluctant to subscribe to the obiter dicta in the judgment prepared by Tipping J concerning the scope of ‘personal information’ under the Privacy Act. It seems to me that almost any information is capable of being used in a manner that could constitute an interference with privacy and this has been recognised by the very broad definition.[24]

Similarly, Henry J thought it preferable to await an occasion when the question of what is meant by ‘personal information’ has been adequately argued before embarking on a critical consideration of it.

The Australian Act has a counterpart to the provisions of s 14(a) of the New Zealand Act to which Tipping J referred. That counterpart is s 29(a). Section 55A(7A) of the Australian Act instructs the Federal Court (or Federal Magistrates Court), when conducting a de novo ‘appeal’ against a determination of the Privacy Commissioner or an adjudicator under an approved privacy code, to have due regard to the matters set out in s 29(a).[25] Nevertheless, my view is that the balance between competing privacy and public interest should, in most cases, be struck when considering the scope of the exemptions and exceptions to the privacy principles, not when interpreting a definition. Those exemptions and exceptions are the primary means by which Parliament has chosen to strike a balance between privacy and other interests.

However, there is clearly room for debate as to whether information is ‘about an individual’, particularly in the context of information concerning employees or officers of organisations. Indeed, a court charged to take into account ‘the right of ... business to achieve [its] objectives in an efficient way’ may be persuaded that the consequences of finding that basic information about employees[26] is ‘personal information’ would be too harsh to allow businesses engaged in business to business marketing to conduct themselves efficiently.[27] While there have been very few court cases decided under information or data protection laws based on the OECD Guidelines, I believe that the question of whether information about employees is ‘personal information’ is one of the most likely issues to be litigated under the Australian Act.

Collection of personal information

Section 16B of the Act provides that the private sector provisions of the Act apply ‘to the collection of personal information by an organisation only if the information is collected for inclusion in a record or a generally available publication’, and to ‘personal information that has been collected by an organisation only if the information is held by the organisation in a record’. The National Privacy Principles (NPPs), with which regulated ‘organisations’ must comply, impose restrictions on the collection of personal information (NPP 1), and also seek to limit the use and disclosure of personal information by reference to the purpose for which it was collected (NPP 2). Accordingly, the act of ‘collecting’ personal information is another central feature of the Act.

The word ‘collect’ is not defined. It is a term which has appeared in the Privacy Act since it was first enacted and, prima facie, you would expect that when it is used in provisions introduced by the Privacy Amendment (Private Sector) Act 2000, it is used in the same sense as in the Act as it was before those amendments. However, this expectation may not be well founded.

The Act has regulated certain activities of ‘collectors’ since its introduction in 1988. A ‘collector’ is a Federal Government agency which ‘collects’ personal information: s 9. Information Privacy Principles (IPPs) 2 and 3 apply where a ‘collector’ collects personal information for inclusion in a record or a generally available publication (IPPs 2(a) and 3(a)) and the information is solicited (defined to mean requested) by the collector (IPPs 2(b) and 3(b)).

Applying accepted principles of interpretation, the drafting of IPPs 2 and 3 suggests that an agency may ‘collect’ personal information even if it does not ‘solicit’ that information. This is because IPP 2(b) and IPP 3(b) would be unnecessary if ‘collect’ was synonymous with ‘solicit’.

If this interpretation was correct, it would mean that a private sector organisation may ‘collect’ personal information for the purposes of the NPPs even where the organisation does not request anyone to provide the information to them. But there are factors pointing away from this conclusion. NPP 1.1 (a prohibition on the collection of personal information unless the information is necessary for one or more of an organisation’s functions or activities) can clearly never apply to unsolicited information; nor can NPP 1.2 (a requirement to only use lawful and fair means of collecting personal information). It seems unlikely that Parliament intended to require organisations who receive unsolicited personal information to take reasonable steps to ensure that the individual to whom the information relates is aware of the matters described in NPP 1.3 (and, in particular, the requirement to notify the individual of the main consequences of failure to provide the information suggests that the information is being actively solicited). Similarly, NPP 2.1 (a prohibition on use or disclosure of personal information for a purpose ‘other than the primary purpose of collection’) assumes that the organisation collected personal information for a purpose, which is obviously not the case where unsolicited information is involved. NPP 10.1 (a prohibition on the collection of ‘sensitive information’ except in particular circumstances) also assumes that a positive act on the part of the organisation is required for there to be a collection of information. For these reasons, at least in the context of the private sector provisions of the legislation (especially s 16B and the NPPs), the better view is that an organisation does not ‘collect’ personal information merely by receiving unsolicited information.

This interpretation is consistent with the New Zealand legislation, which specifically provides that ‘collection’ does not include receipt of unsolicited information. The concept of collection of personal information was the main subject of the New Zealand Court of Appeal’s decision in Harder v Proceedings Commissioner. (The facts of that case are set out above in the discussion of ‘personal information.)’ The first conversation between Ms C and Mr Harder was initiated by Ms C. The Court of Appeal held, unanimously, that this meant that Mr Harder was merely in receipt of unsolicited information.[28] The Court rejected the argument that in taping the conversation Mr Harder changed from being a passive recipient to an active recorder and therefore collector of whatever personal information concerning Ms C may have been imparted to Mr Harder during the conversation. However, the second conversation was not unsolicited — in the first conversation Mr Harder requested Ms C to telephone him again so they could further discuss the possibility of resolving the dispute in light of instructions received from Mr Harder’s client. In the second conversation Mr Harder told Ms C that her proposal was unacceptable, and he then asked a series of questions. Thus whatever personal information was contained in Ms C’s replies was clearly ‘collected’ by Mr Harder.

The Hong Kong Court of Appeal has also recently considered the meaning of ‘collect’ under the Hong Kong Personal Data (Privacy) Ordinance. In Eastweek Publisher Ltd v Privacy Commissioner for Personal Data [2000] 1 HKC 692 the Court was required to determine whether a magazine publisher had breached Data Protection Principle 1 of the Ordinance, which requires that personal data must be collected by means which are lawful and fair in the circumstances.[29] The case concerned a complaint made by a woman whose photograph appeared in a glossy variety magazine published by Eastweek. The relevant article discussed the fashion sense of women in Hong Kong and various photographs were used to illustrate points made in the article. The complainant’s dress sense was ridiculed in the article, and she was referred to in the article as ‘Japanese Mushroom Head’. Apart from the photograph there was no other information in the article to identify the complainant. The photograph had been taken without the complainant’s knowledge or consent with a long distance lens while she was in a public place. The photographer had made an effort to reach her with the intention of seeking her consent to the publication but, because of crowded conditions, failed to reach her before she disappeared from view. The complainant lodged a complaint with the Privacy Commissioner after her colleagues and others made fun of her and made her too embarrassed to wear the same clothing (which was new) again. The Commissioner found in favour of the complainant and sought undertakings from the publisher in relation to future uses of photographs taken without the consent of the individuals depicted in them. The publisher sought judicial review of the Commissioner’s decision. The primary issue which the Court had to decide was whether the publisher had collected personal data using unfair means. By majority (Ribeiro JA and Godfrey VP; Wong JA dissenting) the Court of Appeal held that the publisher had not collected personal data, and therefore DPP 1 did not apply. Ribeiro JA (with whom Godfrey VP agreed) stated:

It is, in my view, of the essence of the required act of personal data collection that the data user must thereby be compiling information about an identified person or about a person whom the data user intends or seeks to identify. The data collected must be an item of personal information attaching to the identified subject ... This is missing in the present case. What is crucial here is the complainant’s anonymity and the irrelevance of her identity so far as the photographer, the reporter and Eastweek were concerned. Indeed they remained completely indifferent to and ignorant of her identity right up to and after publication of the offending issue of the magazine. She would have remained anonymous to Eastweek if she had not lodged a complaint and made her identity known. In my view, to take her photograph in such circumstances did not constitute an act of personal data collection relating to the complainant.[30]

Like Tipping J in the Harder case, Ribeiro JA was clearly concerned about the possible impact of a literal interpretation of the legislation on interests which compete with privacy (in this case legitimate journalistic activity, including photojournalism).[31] However, Ribeiro JA found other reasons in the structure of the legislation to support his conclusion.[32] For example, access and correction rights[33] assume that personal information is compiled in relation to identified individuals so that a particular personal identifier can be used as a search key. Similarly, the prohibition in DPP 3 against using personal data, without the consent of the data subject, for any purpose other than the purpose for which it was collected[34] assumes that it is possible for the organisation to identify the individual (in order to obtain consent).

Ribeiro JA made two important points about the scope of his judgment. First, he made it plain that taking someone’s photograph can be an act of personal data collection, depending on the circumstances. He gave some examples:

the portfolio of photographs of ... fashion models maintained by a ... modelling agency would clearly constitute personal data collected in relation to the individuals in question. Similarly, law enforcement agencies are likely to have databases including photographs of wanted persons whose identities may or may not be known. If unknown, their identities would be considered important and sought-after items of information. Such photographs clearly would constitute part of the personal data collected in relation to such wanted persons.[35]

Secondly, Ribeiro JA sought to clarify that he was not suggesting that media organisations fall outside the scope of the Ordinance. For example, he thought it likely that a newspaper would engage in personal data collection when it compiled a dossier on a public official suspected of involvement in corrupt activity.[36] That collection would be within the scope of the legislation, subject to the express exemptions applying to media organisations (s 61 and DPP 1(3)).[37]

In dissent, Wong JA preferred to give the language of the legislation its ordinary meaning, particularly as its purpose is to protect the privacy of individuals in relation to personal data. Against this background and the narrowly drafted media exemptions in the Ordinance, Wong JA identified no error of law in the Commissioner’s approach.

If Eastweek was followed in Australia it would be necessary to assess an organisation’s intentions in obtaining personal information in order to determine whether that information had been ‘collected’ for the purposes of the Act. As we have seen, the mere receipt of unsolicited personal information is not a ‘collection’ for the purposes of the private sector legislation. So the situation in which Eastweek could apply is where:

  • an organisation has come into the possession of personal information as an incidental by-product of some other activity it has engaged in; and
  • the identity of the subject of the information is irrelevant to the organisation’s activities.

To extend Eastweek’s photojournalism theme, cameras mounted to record scenes of public spaces and connected to the internet to allow those scenes to be communicated to visitors to a website (for example, websites which show surf or snow conditions or city scenes) are likely to picture individuals passing through the public space. But any personal information about the individuals which can be gleaned from the images are likely to be irrelevant to the website operator and, on the Eastweek reasoning, the operator would not ‘collect’ that information. However, applying the same reasoning, the use of the same technology for security purposes would lead to the result that the organisation who controls the camera ‘collects’ personal information (as the intention is to use the recording to identify an individual if necessary).

Taking an example closer to home for lawyers, consider a firm of solicitors who research reports of court decisions in order to use excerpts in written submissions to a court. Reports of court decisions will, almost inevitably, contain personal information about individuals referred to in the reasons. Have the solicitors ‘collected’ personal information for inclusion in a record (their written submissions) simply by acquiring a copy of an existing decision? As with Eastweek, the solicitors will, most likely, be completely indifferent to the identity of the individuals referred to. The personal information about the individuals is only relevant to demonstrate a legal principle which is to be applied in the case at hand. It would produce an absurd result if the solicitors ‘collected’ the information contained in reported decisions: NPP 1.5 would require them to inform all individuals referred to in the decision of the matters set out in NPP 1.3. Imagine what it would be like to be named in a court decision which was regularly cited: you would be inundated with notices from law firms and leading senior counsel (those whose turnovers are $3 million per annum or more) to tell you that they have a copy of the decision and intend to use it for the benefit of their client!

While the Eastweek decision introduces a judicial gloss on the ordinary meaning of ‘collect’, those parts of the Hong Kong Ordinance identified by Ribeiro JA as supporting the interpretation have counterparts in the Australian Act and, as is demonstrated by the example above, the interpretation avoids a result which Parliament surely did not intend. Accordingly, I believe there are sound reasons for an Australian court to follow Eastweek.

Use of personal information

Another central feature of information privacy legislation is the concept of ‘use’ of information.

In the Act ‘use’ is defined as follows:

use, in relation to information, does not include mere disclosure of the information, but does include the inclusion of the information in a publication.

So, unless there is some reason arising from the structure of the legislation, ‘use’ has its ordinary and natural meaning, subject to the exclusion and inclusion contained in the definition.

NPP 2 prohibits the use of personal information for a purpose other than the primary purpose of collection unless one of a number of exceptions apply.

The House of Lords has considered the meaning of ‘use’ in the context of the UK Data Protection Act 1984 (which has been replaced by the 1998 Act). In R v Brown [1996] 1 AC 543 a police officer had obtained access to personal data held in a national police computer database in order to assist a friend who ran a debt collection agency, but there was no evidence that the police officer had passed the information on to his friend or otherwise used the information himself. The main issue for decision by the House of Lords was whether ‘use’ should be construed so as to include processing data so as to gain access to information stored within a computer without doing any further act with the information. By a three-two majority it was held that a person who merely retrieved information from the database of a computer in the form of a display on a screen or of a printout did not thereby use the data. This was because ‘use’ was to be given its ordinary and natural meaning which is ‘to employ for a purpose’. The retrieval of information from a database was a prerequisite of use, but not a use in itself.

I would expect an Australian court to follow the decision in Brown’s case.

Disclosure of personal information

Like ‘collect’ and ‘use’, the verb ‘disclose’ is a key term in the Act. It is not defined.

The term has been considered in several cases, but not, so far as I am aware, in the context of a claim under a general information privacy or data protection law. The most relevant authority of which I am aware is the decision by Laddie J in the High Court of England in the case of Bank of Credit and Commerce International (Overseas) Ltd (in liq) v Price Waterhouse (No 2) [1998] Ch 84. That case concerned the effect of s 82 of the English Banking Act 1987, which made it a criminal offence for a person who received information relating to the business or other affairs of any person under or for the purposes of the Act to disclose that information without the consent of the person to whom it related and (if different) the person from whom it was received. Laddie J’s decision concerned whether Price Waterhouse had obtained information ‘under or for the purposes of the Act’ (the information had come into Price Waterhouse’s possession in their role as BCCI’s auditors) and also whether Price Waterhouse would ‘disclose’ any such information by giving discovery in civil proceedings to BCCI’s liquidator, who was suing Price Waterhouse for negligence in their role as BCCI’s auditor. Laddie J followed the approach taken by the House of Lords in Attorney-General v Associated Newspapers Ltd [1994] UKHL 1; [1994] 2 AC 238 and held that a person only ‘discloses’ information to another person when the recipient was previously unaware of that information. In other words, it is necessary to impart some information not previously known to the recipient before a disclosure occurs. However, Laddie J recognised the practical difficulties which flow from this interpretation. In the case at hand there were about 60 individual defendants and eight other parties. Accordingly, it was held that in the absence of a reliable mechanism which would ensure that disclosure of documents went no further than the class of people who already knew the relevant information contained in them, the party who had the documents should not be compelled to give discovery of them.

A similar result was reached by Bleby J of the Supreme Court of South Australia in King v South Australian Psychological Board [1998] SASC 6621; [1998] EOC 92-929. That case concerned the Whistleblowers Protection Act 1993 (SA), which prohibits a person from causing ‘detriment to another on the ground ... that the other person or a third person has made or intends to make an appropriate disclosure of public interest information’. In this case Mr King had lodged a complaint about a psychologist with the Board in 1989. The Board decided to take no action at that time. Mr King relodged the complaint in 1995 and, when the Board took no action again, Mr King alleged that the Board had breached the Act by causing him detriment. Bleby J held:

On the appellant’s own case, the information which he provided to the respondent on 5 April 1995 was a repeat of a complaint he had previously made to the respondent in December 1989. To disclose in this context means ‘to open up to the knowledge of others; to reveal’ (Shorter Oxford English Dictionary). A disclosure is therefore the act of disclosing or opening something up to view or revealing it. A necessary implication is the information disclosed has not previously been revealed to the person to whom it is disclosed. ... The assumption behind the Act is that the information disclosed has not previously been made known to the authority concerned, and the object is to ensure that persons who make known such information should have adequate protection when they make it known. As the relevant information had already been made known by the appellant to the respondent in 1989, there was nothing new to disclose, and on the appellant’s case as particularised by him, there was no relevant disclosure.

However, it has been held that ‘disclose’ does not have this meaning in the context of the Bankruptcy Act 1966 (Cth) which, by s 269, provides that it is an offence for an undischarged bankrupt to carry on business in the name of a partnership ‘without disclosing to every person with whom ... the partnership deals, his or her true name and the fact that he or she is an undischarged bankrupt’: R v Glenys Ruth Scott (1996) 131 FLR 137. In that case, Ms Scott was an undischarged bankrupt carrying on business in the name of a partnership. She appealed from a conviction against s 269 by arguing that it was necessary for the prosecution to establish that a credit provider who extended credit to the partnership did not know that she was an undischarged bankrupt. Doyle CJ said:

Section 269 is intended to protect persons dealing with an undischarged bankrupt. That will best be achieved if the bankrupt must disclose that status on the occasion of each relevant dealing. Otherwise, the person who forgets that a person is an undischarged bankrupt, or assumes from silence that the bankruptcy has terminated, is at risk. It is sensible to require the bankrupt to leave nothing to chance. It is reasonable not to rest the obligation upon the bankrupt’s belief about the need to convey the information. In my opinion to require a bankrupt to tell a person what that person already knows — that the informant is an undischarged bankrupt — is not to impose an empty ritual. It is to ensure, at the risk of needless repetition on occasions, that the credit provider is told or reminded of a most material fact. ... I conclude that the section requires the bankrupt to tell the other party of his or her status on the occasion of each relevant transaction. That obligation is imposed and exists even though the credit provider knows that the other party is an undischarged bankrupt.

Plainly, this conclusion rests on the purpose of the bankruptcy law (that is, the mischief the offence was intended to protect against).

In the context of the Australian Privacy Act, it is hard to see any reason why ‘disclose’ should not be interpreted in accordance with its ordinary meaning. How would an individual’s privacy be enhanced by preventing an organisation from telling someone else a fact about an individual which the recipient already knows? However, this does have implications for an individual who wishes to take action against an organisation for breach of NPP 2 by reason of the organisation telling a third party a particular fact about the individual, where the individual bears an onus of proof. If the individual bears an onus of proof (for example if the individual was seeking an injunction under s 98 of the Privacy Act), it will be necessary for the individual to establish that the recipient of the information was not previously aware of that information. The practical implications are not so great where the dispute resolution procedures are not adversarial. So the inquisitorial procedures which the Privacy Commissioner would follow under s 40 of the Privacy Act should not be affected by this conclusion — the Commissioner would simply investigate whether or not the recipient of the information was previously aware of the relevant information.

Conclusion

The concepts I have discussed in this article are at the heart of Australia’s private sector privacy law. The object of the law is ‘personal information’ and the activities of ‘collecting’, ‘using’ and ‘disclosing’ such information are those which are primarily regulated by it. Organisations which will be regulated by the Act when it takes effect in December 2001 need to turn their attention from the seemingly never ending debate over whether privacy law is a good idea to analysing the potential effect of the law which has been enacted on their business. Many valuable lessons can be learnt from other countries who have implemented similar laws. I hope that this article will progress the under-standing by Australians of some of the central features of the Privacy Act.

Patrick Gunning, Senior Associate, Mallesons Stephen Jaques, Sydney. A version of this article was presented to the 5th Biennial Pacific Rim Computer Law Conference held in Sydney on 22 February 2001. Valuable comments on the article were made by Graham Greenleaf and Bruce Slane, but the author remains responsible for any errors in it. The opinions expressed are personal, and not necessarily those of Mallesons Stephen Jaques.


[1] Privacy Act 1988 (Cth), P IIIA.

[2] Telecommunications Act 1997 (Cth) and Telecommunications (Interception) Act 1969 (Cth).

[3] This situation comes about in the following way: the obligations to comply with the Act are placed on ‘organisations’ (s 16A). An ‘organisation’ does not include a ‘small business operator’ (s 6C), but a ‘small business operator’ can choose to be treated as an ‘organisation’ by registering that choice with the Privacy Commissioner (s 6EA). The small business operator may revoke a choice to be treated as an organisation (s 6EA(4)).

[4] House of Representatives Standing Committee on Legal and Constitutional Affairs Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 June 2000 para 2.20.

[5] As above.

[6] For discussion of the development of the OECD Guidelines see Justice Michael Kirby ‘Privacy protection, a new beginning: OECD Principles 20 years on’ (1999) 6 (2) PLPR 25.

[7] For an opinion as to why this has occurred see Lee Bygrave ‘Where have all the judges gone? Reflections on judicial involvement in developing data protection law’ (2000) 7 (1) PLPR 11 and 7 (2) PLPR37. The Federal Court of Australia has only considered the Privacy Act in a limited number of cases: Secretary, Department of Social Security v McKenzie (1993) 31 ALD 55; Austen v Civil Aviation Authority [1994] FCA 1104; (1994) 50 FCR 272; Liu v Minister for Immigration & Ethnic Affairs (1994) 55 FCR 439; Caratti v Commissioner of Taxation [1999] FCA 1296; Ibarcena v Templar [1999] FCA 900; Ibarcena v Smyth [2000] SCACT 40, [2000] FCA 1942; Goldie v Minister for Immigration [2000] FCA 1873. It has not been necessary in any of these cases to address any of the central features of data protection law which are discussed in this article.

[8] Section 6.

[9] Privacy Act 1993 (NZ), s 2.

[10] Data Privacy Ordinance 1996 (HK), s 2 (definitions of ‘personal data’ and ‘data’).

[11] Personal Information Protection and Electronic Documents Act 2000 (Canada), s 2.

[12] (1993) 31 NSWLR 606. In the context of the Commonwealth FOI legislation, Colakovski v Australian Telecommunications Commission [1991] FCA 152; (1991) 29 FCR 429 reviews many of the Federal Court authorities on ‘personal affairs’.

[13] (1993) 31 NSWLR 606 at 625.

[14] Freedom of Information Amend-ment Act 1991 (Cth).

[15] Unreported, Jenkinson J, 27 October 1995, proceedings VG 6 of 1995. The case is summarised at (1997) 67 FoIReview 15. This was an appeal from the AAT’s decision in Re Strang and Department of Immigration and Ethnic Affairs (1994) 36 ALD 449. Note that certain passages of this judgment are not publicly available due to a confidentiality order made by the Court. For this reason the judgment has not been reported in full and the only version which is available is a redacted copy which can be obtained from the Federal Court registry on request.

[16] (1994) 36 ALD 449 at 460.

[17] Unreported, Jenkinson J, 27 October 1995, at 19.

[18] At 19-20.

[19] At 20-21.

[20] The effect of the 1991 amendment has been the subject of some debate in the AAT, although little has turned on the debate because the ultimate application of the s 41 exemption has depended on whether or not granting access to the relevant document would involve an ‘unreasonable disclosure’ of personal information. In Marr v Telstra Corporation Ltd (unreported, P93/337, 20 October 1993 and 22 April 1994) Senior Member Allen doubted there was any practical difference between ‘personal affairs’ and ‘personal information’ about an individual. In Re Cook and Comcare (1996) 23 AAR 19 at 27, Senior Member Beddoe proceeded on the basis that information concerning an employee’s working environment is not ‘personal information’, whereas information concerning an employee’s work performance and work capacity is ‘personal information’. If wrong in that opinion, Senior Member Beddoe decided that it would not be an ‘unreasonable disclosure’ of personal information to give access to information concerning an employee’s work environment. Deputy President McMahon, in Re Subramaniam v Refugee Review Tribunal (1997) 44 ALD 435 at 443-444, decided that information about an employee’s work performance or efficiency was not ‘personal information’ (although he went on to find that the disclosure of such information was not unreasonable). See also Re Hanbury-Sparrow and DFAT (1997) 47 ALD 779; Re Warren and Department of Defence (1994) 54 FOIReview 86; Re Keane and ABC (1995) 57 FOIReview 47; Re Morris and AFP (1996) 63 FOIReview 35.

[21] R v Department of Health; ex parte Source Informatics Limited [2000] 2 WLR 940 at 954-955.

[22] Harder v Proceedings Commissioner [2000] NZCA 129; [2000] 3 NZLR 80 at 89.

[23] At 90.

[24] At 95.

[25] Note that the same instruction is not given to the Court when it is excercising the jurisdiction conferred by s 98 of the Act (to grant injunctions to restrain breaches of the Act).

[26] Such as the matters identified in the exclusion to the Canadian definition, namely ‘the name, title or business address or telephone number of an employee’.

[27] The notification requirements in NPPs 1.3 and 1.5 are likely to be the major burden imposed on organisations who collect basic information about employees. The fact that there are no exceptions to the notification requirement would, no doubt, be urged on the court as a reason to adopt the approach espoused by Tipping J to the interpretation of the ‘personal information’.

[28] Harder v Proceedings Commissioner [2000] NZCA 129; [2000] 3 NZLR 80 at 90, 95, 96.

[29] DPP 1(2). The equivalent Australian NPP is NPP 1.2.

[30] Eastweek Publisher Ltd v Privacy Commissioner for Personal Data [2000] 1 HKC 692 at 700.

[31] At 701.

[32] At 702-703.

[33] DPP 6 (in the Australian context, see NPP 6).

[34] Comparable to the Australian NPP 2.

[35] Eastweek Publisher Ltd v Privacy Commissioner for Personal Data [2000] 1 HKC 692 at 704.

[36] As above.

[37] This demonstrates one important difference between the Hong Kong and Australian legislation. The media exemptions under Hong Kong law are narrowly cast (primarily exempting media organisations from the obligation to give access to and permit corrections of personal data). If the case had arisen under the Australian Act, the publisher’s activities would be exempted from the Act if the publisher was publicly committed to observing standards that address privacy considerations in the context of the activities of media organisations (such as the Australian Press Council’s principles): Privacy Act 1988 (Cth), ss 7(1)(ee) and 7B(4).

Download

No downloadable files available