22 March 2014

Changes to Privacy PIDs

The Office of the Australian Information Commissioner (OAIC) has announced the making of Privacy Public Interest (Enhancing Privacy Protection) Amendment and Repeal Determination 2014, reflecting the Privacy Act 1988 and Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) that amends the Privacy Act 1988 (Cth).

Under section 72 of the 1988 Act the Australian Information Commissioner was authorised to make a Public Interest Determination (PID), ie a formal determination that an act or practice that might breach one of the Information Privacy Principle, National Privacy Principles or an approved privacy code would be regarded as not in breach of the Act. The PIDs thus function as delegated legislation, giving the Commissioner considerable power to change the effect of the Act in technical areas that might not attract the interest or understanding of Parliament.

The PIDs included the controversial genetic data PIDs (PID 11 and 11A) that in their initial form authorised clinicians to trawl directory database to contact any Australian with a particular surname, on the basis that those people might be a genetic relative of someone with a serious genetic condition. The PIDs were in essence a licence to embark on a badly-managed and inadequately conceptualised genetic expedition that was likely to result in more harms than benefits.

The reforms provided by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) amend the Commissioner's power to make a determination under s 72, which now refers to the new Australian Privacy Principles (APPs, replacing the discrete IPPs and NPPs) and registered APP codes.

Schedule 6 of the 2012 Act features 'savings provisions' for those PIDs in force prior to commencement of the amendments this month. It indicates that an existing PID has effect as if it had been made under the amended Privacy Act. The Commissioner may, by legislative instrument, vary an existing PID to take into account amendments made by the 2012 Act. In considering that variation the Commissioner may consult any person or entity, taking into account any matter that he considers relevant.

The Privacy Public Interest (Enhancing Privacy Protection) Amendment and Repeal Determination 2014 amends PIDs 3A, 5, 12 and 12A. Amendments under item 12(3) Schedule 6 of the Privacy Act 1988 and Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) are intended to ensure that each PID operates as it did prior to this month.

PIDs 4, 7, 11, 11A, 13 and 13A are repealed as no longer required, given that the acts and practices are covered by an exemption or exception to one of the APPs. PID 8 is also repealed as no longer required, given that the act or practice covered by that PID is complete.

The PIDS affected by the changes are -
PID 3A - Commonwealth Director of Public Prosecutions: the DPP may disclose to a relevant authority information in the DPP's possession about an individual where that information indicates serious misconduct directly relevant to the performance of a regulated occupation or profession; or of a public service position.
PID 4 - Disclosure of police reports for the purposes of pursuing insurance claims or civil litigation: the Australian Federal Police may disclose personal information contained in criminal offence reports and motor vehicle accident reports subject to conditions
PID 5 - Australian Federal Police: the AFP may, subject to conditions, disclose personal information relating to homicides in the ACT, to the Australian Institute of Criminology to enable the AIC through its Homicide Monitoring Centre to undertake out research under the national homicide monitoring program.
PID 7 - the Department of Foreign Affairs and Trade: the Department is enabled to disclose the personal information of Australians overseas to their next of kin in certain limited circumstances.

PID 8 - DPP: Disclosure of personal information contained in certain DPP files that relate to serious incidences of fraud, dishonesty and deception to the Australian Institute of Criminology for research purposes.

PID 11 - Genetic Data: Collection and use of contact details of genetic relatives to enable use or disclosure of genetic information

PID 11A - Genetic Data: Collection and use of contact details of genetic relatives to enable use or disclosure of genetic information

PID 12 - Collection of Family, Social and Medical Histories: The applicant [clinicians] collects health information from an individual, or from a responsible person for the health consumer, about a third party in circumstances where a) the collection of the third party’s information into the consumer’s family, social or medical history is necessary to provide a health service directly to the consumer, and b) the third party’s information is relevant to the consumer’s family, social or medical history, and c) the applicant collects the third party’s information without obtaining the consent of the third party, and d) the third party’s information is only collected from a responsible person for the  consumer if the  consumer is physically or legally incapable of providing the information themselves.

PID 12A - Collection of Family, Social and Medical Histories: no organisation providing a health service is taken to contravene the Act if the organisation does an act, or engages in a practice, that is the subject of PID 12 (Collection of Family, Social and Medical Histories).

PID 13 - Disclosure and collection of personal information to improve outcomes for children and young people at risk of serious harm

PID 13A - Disclosure and collection of personal information to improve outcomes for children and young people at risk of serious harm
The Commissioner has concurrently approved Guidelines issued by the National Health & Research Council (NHMRC) that have the same effect as the superseded PIDs 11, 11A, 12 and 12A.