Privacy and people with decision making disabilities guide
Part 1. Introduction
1.1 Who is this guide for?
This guide is primarily intended to be used by NSW public sector agencies that handle personal information about adults with decision-making disabilities. Public sector agencies are defined in the Privacy and Personal Information Protection Act 1998 (PPIP Act) to include NSW State government departments, area health services and local councils.
This guide may also be used by private organisations that handle information about people with decision-making disabilities. However private organisations may need to comply with the Federal Privacy Act 1998 and should not rely on this guide without checking that their practices comply with that Act.
For more information about the Federal Privacy Act, please contact the Office of the Australian Information Commissioner on 1300 363 992 or at https://www.oaic.gov.au/privacy/.
1.2 When does this guide apply?
This guide applies to situations where an agency collects, stores, uses, discloses or otherwise handles personal information about a person with a decision-making disability.
A person’s capacity to make decisions may be impaired by a range of conditions including a mental illness, intellectual disability, dementia, brain injury or stroke. A person’s capacity may also be impaired if they cannot communicate their wishes because of a disability, illness, injury or accident.
This guide applies to personal information only and does not cover the right of privacy generally, including physical privacy. It is also not intended to apply to children and young people. Privacy NSW is working on a separate guide on children and young people’s privacy.
1.3 Why has it been written?
This guide has been prepared by Privacy NSW to assist NSW public sector agencies to apply the Information Protection Principles (IPPs) under the PPIP Act in a manner that protects and promotes, to the greatest extent possible, the privacy of adults with a decision-making disability.
Personal information privacy is fundamental to a person’s ability to enjoy their human dignity and autonomy. While everyone must compromise a reasonable level of their information privacy in order to live in society, people with decision-making disabilities are often expected to make far greater compromises than other people. Some compromises are reasonable so that a person can receive adequate services to meet their personal, health, financial or other needs and wishes. At the same time, people with decision-making disabilities are entitled to the same privacy rights as anyone else – including collection of personal information only by lawful means, the right to access and correct personal information held by agencies, restrictions on disclosure of personal information without consent unless lawfully authorised, and the right to hold organisations accountable when privacy is breached.
The PPIP Act is silent about what happens when a person cannot understand or make decisions about how their personal information is handled. This guide recommends a best-practice approach, based on principles or ‘signposts’ that agencies can use to inform their policies and procedures when handling personal information about people with decision-making disabilities.
The best practice approach in this guide should be adapted to the unique circumstances of each individual. Privacy NSW recommends that agencies develop their own guidelines or policies that deal with their particular organisational environment, especially if their core business includes providing services to people with decision-making disabilities. An agency’s guidelines should be reviewed and updated as relevant legislation or practices change.
1.4 What is its legal status?
The Privacy Commissioner has a function, under section 36(2)(b) of the PPIP Act, to prepare and publish guidelines relating to the protection of personal information and other privacy matters. Privacy NSW anticipates that this guide will also accord with similar functions of the Privacy Commissioner under the Health Records and Information Privacy Act 2002 due to come into operation on 1 July 2004. For more information about the Health Records and Information Privacy Act please contact Privacy NSW. Our contact details are in Part 5.
This guide is not legally binding. It does not override the IPPs in the PPIP Act or diminish the entitlements of people with a decision-making disability under the Act. It just provides a best practice guide for handling personal information about individuals with a decision-making disability.
The guide may be referred to in privacy codes of practice approved under the PPIP Act or in directions made by the Privacy Commissioner under section 41 of the PPIP Privacy NSW - Privacy and people with decision-making disabilities 3 Act. In these cases, the guide would have legal force to the extent provided in the relevant code or direction. For more information on codes and directions, please contact Privacy NSW.
This guide does not limit, but may influence, the way in which the Privacy Commissioner exercises his or her functions, including complaint-handling functions under Part 4 of the PPIP Act and monitoring internal reviews under Part 5 of the PPIP Act.
This guide will be reviewed and updated by Privacy NSW as relevant legislation or practices change.
Part 2. Principles
The dependency of people with decision-making disabilities on others does not mean that they lose their privacy or other human rights. On the contrary, privacy is particularly important for people with decision-making disabilities because they are vulnerable to greater intrusions on their privacy than others.
This guide is informed by the following principles. They are based on international legal instruments, including the International Covenant on Civil and Political Rights, and domestic law including the Disability Services Act 1993 (NSW).
(a) Respect for dignity and autonomy
All people have the inherent right to respect for their human dignity and autonomy.
(b) Equal statutory rights
All people are equally entitled to the rights contained in the PPIP Act.
(c) Access to information
All people have the right to be provided with information necessary to allow informed choice, in a manner appropriate to each person’s abilities and their linguistic and cultural background.
(d) Participation in decision-making
All individuals have the right to participate to the greatest extent possible in decisions which affect them, including decisions about how their personal information is handled.
(e) Respect for opinions
All individuals have the right to have their values (including cultural values), wishes, preferences and opinions about how their personal information is handled respected by others.
Government agencies are accountable to individuals who use their services, including people with disabilities, the support persons of people with disabilities and the community generally, for decisions about the way that personal information is handled.
Part 3. Consent and Capacity
Consent or withholding consent to what happens to one’s personal information is fundamental to privacy. Giving or withholding consent increases a person’s control over whether and what personal information is known to others including government agencies, private organisations, family, friends and professionals.
Some parts of the PPIP Act rely expressly on the concept of consent to restrict the use and disclosure of personal information (sections 17 and 26(2)). Other parts rely on a person’s ability to understand certain things about the way their personal information is collected and disclosed (section 10) and understand that they have the right to access and correct their personal information (sections 14 and 15).
Consent is only genuine if the person giving consent has the capacity to give or withhold valid consent. For consent to be valid it must be voluntary, informed, specific and current.
3.2 What is capacity?
A person has capacity if they are able to understand the general nature and effect of a particular decision or action, and can communicate their intentions or consent (or refusal of consent) to the decision or action.
A person’s capacity to make a particular decision should only be doubted if there is a factual basis to doubt it. An agency should not assume that a person lacks capacity just because they have a particular disability.
The law presumes that all individuals have capacity except in special circumstances.
For example, children are not generally regarded as having legal capacity. Adults subject to protective orders of a court or tribunal may also have limited legal capacity.
There is no ‘one size fits all’ test for whether a person has capacity in a given situation. Assessing a person’s capacity involves making difficult judgements and considering complex issues.
As a general principle, a person’s capacity should only be assessed by an appropriately qualified health professional. However we recognise that in practice there will be situations where other people may need to make decisions that involve judgements about a person’s capacity. The following issues are relevant when thinking about how a person’s capacity may affect their ability to give or withhold consent, and make particular decisions about their personal information.
Capacity is unique to the individual
People with decision-making disabilities are not a homogenous group. A wide range of conditions may affect a person’s capacity including mental illness, intellectual disability, dementia, brain injury, illness, accident or disease. Capacity also varies widely among people with the ‘same’ disability. For example, two people with dementia or the ‘same’ mental illness can have very different degrees of capacity.
Capacity is also influenced by each person’s unique social circumstances and emotional and intellectual abilities.
Capacity is not static
A person’s capacity may change over time. The ability to make decisions may be affected by factors that are pre-existing or acquired, temporary, episodic or chronic. For example, a person with a mental illness may not be able to make particular decisions during periods of their illness where they are acutely unwell, but may have capacity at other times. A person with dementia may have capacity in the early stages of dementia but lose capacity to make decisions about parts or all areas of their life later on.
Capacity depends on the nature of the decision to be made
A person may not have the capacity to make decisions about certain aspects of their lives but retain the capacity to make decisions about other matters. For example, a person may not be capable of making decisions about their financial affairs or major medical treatment, but still have capacity to make decisions about basic health care and their lifestyle generally, such as where they want to live and who they want to share this information with.
Similarly, if a person does not have capacity to make decisions about particular types of personal information such as their financial information, they may still have capacity in relation to other kinds of personal information and how their information is collected, used, disclosed or otherwise handled. This information could include, for example, their address and telephone number, social security details, religious beliefs or their sexuality. In this way, a person may have the capacity to exercise privacy rights even if they lack the capacity to make other decisions about their lives.
Capacity depends on the support provided to make a decision
A person’s capacity may depend on whether appropriate support is provided to enable them to exercise their capacity. For example, many people with an intellectual disability are capable of making decisions if information is communicated in a way that is appropriate to their abilities and usual methods of understanding. If a person has a low level of English language proficiency or is from a culturally diverse background, it is important to provide information in their first language or in a manner that is culturally appropriate so that they can exercise their capacity to the greatest possible extent.
Cultural and linguistic background
Assumptions about a person’s cultural and linguistic background should not influence judgements about capacity. For example, behaviour that may seem irrational or unacceptable in one culture does not necessarily indicate that a person lacks capacity. If a person loses their second language ability and reverts to speaking their first language as they grow older, this does not necessarily indicate that the person lacks capacity.
A ‘bad’ decision does not indicate incapacity
A person might make a decision that an agency or their support person regards as uninformed or misguided, but still have capacity. To have capacity, a person does not need to make what other people might regard as a ‘good’ or ‘right’ decision, or a decision that may be in the person’s best interests. A person only needs to understand the general nature and effect of a particular decision or action and be able to communicate their intentions or consent.
3.3 What is consent?
For consent to be valid it must be voluntary, informed, specific and current. If a person has a decision-making disability, they may not be able to give valid consent in terms of all of these aspects. Agencies should carefully consider all the aspects of valid consent and provide appropriate support to help people to exercise their capacity to give or refuse consent to the greatest possible extent.
Consent must be voluntary
A person must be free to exercise genuine choice about whether to give or withhold consent. Consent must be given without coercion or threat and with sufficient time to understand the request and, if appropriate, take advice.
Coercion or threat need not only be overt. It may also be implicit such as the threat to withdraw or not provide services if consent is not given. For example, if a person has no practical alternative but to provide certain information in order to receive a service, an agency should not suggest that they are seeking the person’s consent to the collection of the information. However in these circumstances, the agency must still be open about how it handles a person’s information by notifying the person about relevant matters when it collects their information (see section 10 of the PPIP Act).
Consent must be informed
Generally, a person must have reasonable knowledge of all relevant facts before they give or refuse consent. Providing incorrect or misleading information may mean that an individual’s consent is invalid.
Examples of relevant facts include:
- the personal information to be collected
- the purpose or purposes of collecting the information
- who will have access to what parts of the information
- what the recipient will use the information for
- who the information will be passed on to
- whether providing the information is voluntary or required by law
- the consequences of giving or refusing consent.
Generally, the more privacy-intrusive the proposed conduct or use of personal information, the greater the care required to provide appropriate information and support to enable a person to exercise their capacity to the greatest possible extent.
For example, a person with a mild intellectual disability may be able to understand a simple notification form advising about the routine collection of personal information. However, if consent is sought in relation to the collection, use and disclosure of sensitive personal information for research purposes, the same person may need a support person to help explain the effects of a decision to consent to or refuse the conduct.
Consent must be specific
Consent must be reasonably specific to meet the circumstances of each case. If the information given by the agency’s notification is too broad or vague, the consent may not be specific enough to be regarded as valid.
How specific notification should be will depend on various factors. These factors include:
- the nature of the personal information - for example whether it is more or less sensitive or complex
- the proposed use or disclosure, including future uses or disclosures
- who else might receive the information and how they will use or disclose the information
- the recipient’s level of accountability- for example, whether the agency, organisation or individual is also bound by privacy legislation.
Generally, the more privacy-intrusive the proposed use or disclosure, the more specific the notification and consent will need to be. For example, consent to collect and use personal information to provide an accommodation service could be sought in a simple notification form. However consent obtained for this purpose would not cover a proposal to subsequently disclose the person’s information for marketing or research purposes.
Consent must be current
Consent has a ‘use-by’ date. Consent given in particular circumstances cannot be assumed to endure indefinitely with the passage of time and changes of circumstances. Good practice is to inform the person of a specified period for which the consent will be relied on in the absence of any material change of circumstances that the agency knows or ought reasonably to know. Agencies should also make it clear that a person is entitled to change their mind and revoke consent later on.
The nature of a person’s disability may cause them to lose awareness of matters about which they were previously informed. Therefore, while an agency may have previously provided information to someone when they had capacity, it may not be appropriate to rely upon this notification for subsequent decisions if the person has since lost capacity. Similarly, if a person with a decision-making disability loses their second language skills and reverts to their first language due to age, agencies may need to use a qualified interpreter or other appropriate means to communicate in the person’s first language, even if the agency has previously provided them with the same information in English.
3.4 Express and implied consent
Consent at law may generally be either express or implied. Although it will depend on the nature of the personal information and the proposed conduct, it is usually preferable to seek express consent.
In some situations the law requires that a person must always give their express consent to certain conduct. For example section 26(2) of the PPIP Act says that agencies do not have to comply with the usual obligations regarding notification (section 10) and restrictions on disclosure of the information (sections 18 and 19) if the person has expressly consented to non-compliance with the relevant IPPs.
Express consent is consent that is clearly and unmistakably communicated. Express consent may be given in writing, orally or in any other form where the consent is clearly communicated. Express consent should be sought in writing wherever practicable. If a person gives their express consent orally or by other means such as through a language or sign interpreter, agencies should document this in their records.
Implied consent is consent that can reasonably be inferred from an individual’s conduct or actions. However it may be difficult to demonstrate that an individual has genuinely consented if consent is merely inferred by an agency. Because of this it is generally preferable to seek a person’s express consent. This is especially the case if the proposed conduct has significant implications for a person’s privacy.
The PPIP Act makes certain assumptions that may be relevant to whether an agency can rely on implied consent. These assumptions include that:
- people are willing to provide public sector agencies with their personal information on the assumption that it will be dealt with fairly and using best practice standards
- if people are properly informed about how their personal information is used, they will make choices about how much information they are prepared to provide.
If an agency relies on implied consent, it should be careful not to make assumptions that are not based on fact. For example, it may not be appropriate to infer consent just because a person has not stated their objection to the proposed conduct. The person may not have heard, may not have understood or may have had insufficient information to make an informed decision about the conduct.
Consent should not be inferred in a particular case just because:
- the person’s capacity to provide or refuse consent is impaired
- the proposed conduct is disclosure of personal information to a spouse or family member
- the benefits of consenting, as the agency sees them, suggest that the person would ‘probably’ consent if asked
- most other people have consented to the same use or disclosure of the information
- the person has given consent in the past
- the person has given general consent only - for example the agency has requested broad authorisation or a range of conduct in a ‘bundled consent’ (as sometimes happens when a person first comes into contact with an agency)
- the person does not have sufficient English language proficiency to communicate their wishes without an interpreter.
In some cases, it may be possible to infer consent (or refusal of consent) from such things as previously expressed wishes when the person had capacity. The views of close relatives or other people with whom the individual has or has had a relationship of trust may also assist in inferring whether consent is given or refused.
However implied consent involves making judgements. If a complaint is made about an agency’s conduct, it may be difficult to establish that the necessary consent was given. The agency relying on the consent may bear the onus of establishing whether the consent was valid or not.
Part 4. What agencies need to do
The PPIP Act says that when agencies handle personal information they may not do certain things without the consent of the person that the information relates to or without making the person aware of certain matters. These matters include what will happen to the person’s information and their right to access and correct personal information. The PPIP Act also implies that people should be made aware of their right to make a complaint if they feel their privacy has been breached.
In practice, if a person has a decision-making disability it may not be possible to comply strictly with these requirements. However a person with impaired capacity still has the right, like everybody else, to fair handling of their personal information.
Therefore agencies need a mechanism so that they can meet their legal obligations to people with a decision-making disability.
In this guide, we propose that agencies use a combination of substitute and procedural decision-making procedures (‘alternative decision-making’) where it is not possible in practice to comply strictly with the requirements of the PPIP Act because of a person’s limited capacity.
This guide does not authorise an agency to depart from the requirements of the PPIP Act. However an agency may lawfully rely on the alternative decision-making procedures proposed in this guide to the extent that they are authorised to do so by:
- another law
- an exemption within the PPIP Act itself
- a privacy code of practice approved under the PPIP Act
- a ‘section 41 direction’ made by the Privacy Commissioner under the PPIP Act.
To check if your agency is covered by a privacy code of practice or a section 41 direction, please contact your Privacy Contact Officer or Privacy NSW.
4.2 Involving people in decisions about their privacy
A person with a decision-making disability may need their information privacy rights to be exercised on their behalf by others. If another person makes decisions for them, the person with a decision-making disability should always be involved as much as possible in the decision-making process.
Many people with decision-making disabilities have strong views and preferences about who has access to their personal information and what happens to their information. A person’s wishes or opinions about their personal information privacy should be carefully considered, along with other relevant criteria, when making a decision about how their information is handled.
Appropriate information and support
Agencies should take reasonable steps to provide information and support that is appropriate to the abilities of each person and their cultural and linguistic background so that they can participate meaningfully in decisions. For example, an agency providing services to clients with an intellectual disability should provide information in, for example, a pictorial or symbolic format that can be understood by people with an intellectual disability.
We are currently working on a joint project with the Office of the Protective Commissioner to develop a notification statement for people with decision-making disabilities. This statement will explain people’s privacy rights when their information is collected by agencies. When the statement is finalised, it will be available on our website – www.lawlink.nsw.gov.au/privacynsw.
If information is more complex or a person’s capacity is more limited, agencies should also involve the person’s representative (if available) in the decision-making process.
Agencies should describe the procedures or steps that will be taken to provide people with appropriate information and support in their privacy management plan (section 33 of the PPIP Act). The steps taken in individual cases should be documented by agencies.
Previously expressed wishes
Sometimes a person may have made their wishes about their personal information known to others at a time when they had capacity. For example, a person in the late stages of dementia may have told their family, before the onset of their dementia, that certain information about them should be protected from disclosure. A person experiencing an acute episode of their mental illness may have expressed certain wishes or opinions about their personal information privacy at a time when their illness was less severe.
If an agency is aware of previously expressed wishes or opinions or could make itself aware by taking reasonable steps, it should consider the person’s previously expressed wishes with other relevant criteria when handling the person’s information.
4.3 Alternative decision-making
Alternative decision-making for people with decision-making disabilities may be applied to an agency’s obligations in relation to a person’s access and correction rights as well as obligations when collecting, using and disclosing information.
The two main alternative decision-making models are:
- a decision is made on behalf of the individual by a representative (substitute model)
- a decision is made on behalf of the individual by an agency or organisation using objective criteria (procedural model).
It is not always necessary or appropriate for an agency to choose between either substitute or procedural decision-making. We recommend that, where possible, agencies adopt features of both the substitute and procedural models in their decision-making. This flexible ‘integrated’ approach is more likely to fit the unique circumstances of each individual and promote the accountability of an agency when it handles personal information about a person with decision-making disabilities.
Accountability is particularly important if an agency departs from the general information privacy standards in the IPPs. In such cases, you should be able to provide clear and objective criteria to show why the usual privacy standards have been compromised.
Substitute decision-making is where a decision is made on behalf of a person by another individual who ‘stands in the shoes’ of the person.
Some people may have a guardian or a manager appointed by law to manage certain aspects of their affairs, such as their living and personal care arrangements or their finances. In practice many people with a decision-making disability are not subject to protective legal orders that authorise a third party to manage their personal or financial affairs. Even if such orders exist, they may not necessarily authorise the third party to make decisions about all the individual’s personal affairs or make decisions about their personal information generally. Similarly, a person may be able to rely on a ‘person responsible’ under the Guardianship Act 1987 to make decisions about their medical and dental treatment. However the person responsible is not authorised under the Guardianship Act to make decisions about personal information that is not related to medical and dental treatment.
The PPIP Act does not set out who should act as a substitute decision-maker. In this guide we recommend that agencies use a flexible definition of a person’s representative depending on the type of personal information being dealt with. For example, a financial manager appointed under a court or tribunal order should be able to represent the person in relation to decisions about their financial information to the extent authorised by their appointment. However in relation to other types of personal information such as information about lifestyle decisions, a different representative may be more appropriate.
A person’s representative may be:
- An attorney for the individual under an enduring power of attorney, in relation to decisions about personal information that are consistent within the scope of the order or instrument appointing the attorney.
- A guardian within the meaning of the Guardianship Act 1987, in relation to decisions about personal information that are consistent with the scope of the guardianship order.
- A person responsible within the meaning of the Guardianship Act, who may be, in descending order of priority:
(a) In the case of information about medical or dental treatment, the person’s guardian, if any, appointed to give consent to the carrying out of the medical or dental treatment.
(b) The spouse or partner of the person, if any, if the relationship between the person and the spouse or partner is close and continuing. A spouse or partner includes a person’s wife, husband, de facto opposite sex partner or de facto same sex partner.
(c) A person who has the unremunerated care, excluding a carer’s pension, of the person within the meaning of section 3D of the Guardianship Act.
(d) A close friend or relative of the person. A person is a close friend or relative if they maintain a close personal relationship with the other person through frequent personal contact and a personal interest in the other person’s welfare. A person is not to be regarded as a close friend or relative if they receive remuneration for or have a financial interest in any services that they perform for the other person.
4. A person who is otherwise empowered under law to exercise any functions as an agent of or in the best interests of the person (including a financial manager appointed under the Guardianship Act or Protected Estates Act), in relation to decisions about personal information that are consistent with the scope of the legal authority.
The representative chosen should be based on the type of personal information being dealt with. There may be cases where a person should have more than one representative to make decisions about different types of personal information. For example, a person’s financial manager may represent them in relation to information about finances, but their close friend may represent them in decisions about other kinds of personal information, such as health information.
Substitute consent should be flexible enough to accommodate cultural values that emphasise family and community relationships rather than the more individualist values of Western society. For example, an indigenous person may want more than one person from their community to act as their representative when making decisions about their personal information. In many families, regardless of culture, there is often more than one person involved in caring or taking responsibility for a person with a decision-making disability.
Limits of substitute decision-making
It is not always possible to use substitute decision-making. In some cases a person may not have a close relative, friend or other representative who can act on their behalf. In other cases, the views or interests of the person’s representative may conflict with the person’s current opinions or with a wish or opinion previously expressed by the person when they had capacity. In this situation, the views of the person’s representative should not automatically override the person’s views. A further limit to using substitute consent is where there are irreconcilable differences between family members about what is in the best interests of their relative.
These examples illustrate the importance of a procedural decision-making process that uses additional criteria to objectively assess the best interests of a person.
Another example where consideration of additional criteria is important is in the case of requests for access to information about a person by their relative, friend or other third party. On the one hand, an agency should not automatically deny a person’s representative access to this information, since it is important that people with decision-making disabilities can exercise their rights to access and correct personal information through someone else. However agencies should not automatically grant access to a person’s information without considering the circumstances of each case, including any wishes or views expressed by the person of which the agency is aware or could make itself aware by taking reasonable steps.
In the case of health information, the Health Records and Information Privacy Act 2002 (due to come into operation on 1 July 2004) allows health information to be disclosed to an immediate family member for compassionate reasons if the disclosure is not contrary to any wish expressed by the individual of which the organisation was aware or could make itself aware by taking reasonable steps (Health Privacy Principle 11(g)). For more information about the Health Records and Information Privacy Act please contact Privacy NSW.
Procedural decision-making uses clear and consistent criteria to assess whether the proposed information handling practice is in the best interests of the person. Procedural decisions are usually the responsibility of an agency rather than an individual. If an agency uses procedural decision-making, it should be able to demonstrate to an objective observer that decisions about a person’s information privacy were made in the best interests of the person concerned.
The criteria used to make a final decision about what happens to a person’s information should be set out in writing, particularly where the decision has significant privacy implications.
Relevant matters may include:
- the type of personal information being collected
- who will collect the information
- the purpose of collection
- the intended recipients of the information
- whether the person and/or their representative has been notified of the above matters in a manner that is appropriate to their capacities and linguistic and cultural background in accordance with section 10 of the PPIP Act
- how collection may benefit the person
- the consequences for the person if the information is not collected
- how a particular use or disclosure of the information may benefit or adversely affect the interests of the person
- any views expressed by the person about how their information is used and whether and to whom it is disclosed
- measures for retention and security of the information in accordance with section 12 of the PPIP Act
- whether the person and/or their representative has been notified of their right to access and correct the information in a manner that is appropriate to their capacities and linguistic and cultural background in accordance with sections 14 and 15 of the PPIP Act
- whether the person and/or their representative have been notified of their right to make a complaint to the Privacy Commissioner (Part 4 of the PPIP Act) or to request an Internal Review by the agency (Part 5 of the PPIP Act) if they believe the person’s privacy has been breached.
The weight that should be attached to these matters will vary depending on the particular circumstances of each case. For example, a person may express very strong views about wanting to participate in a research project and may be supported by their substitute decision-maker to do so. However, if the research project carries unreasonably high risks for the person’s information privacy, these risks may outweigh the person’s wish to participate in the project. As another example, a person may strongly object to the manager of their group home talking to their doctor about their spending habits and what they eat. The person’s objections should generally be given full weight with respect to the manager discussing the person’s finances with the doctor. However if the person had diabetes and their doctor was concerned that they had an appropriate diet, it may be important for the manager and doctor to discuss relevant information about the person’s eating habits.
Some matters will not require fresh consideration each time a decision is made. For example, an agency may have already addressed the measures taken for secure retention of the information in its privacy management plan (section 33 of the PPIP Act). Or the person and/or their representative may have previously been advised about their right to access and correct personal information, and to make a complaint if they believe the person’s privacy has been breached.
When making decisions using the procedural model, all relevant criteria should be assessed and documented by appropriate staff within the agency. An overall assessment of each criteria, and the final decision about what happens to a person’s information, should be made and documented at an appropriately high level of the agency. This is especially the case in situations where the proposed information handling practice is privacy-intrusive.
Procedural decision-making may be used alone if substitute decision-making is not possible. However we recommend that the substitute decision-making model is used with procedural decision-making whenever possible. This is because using both types of decision-making models is more likely to promote the best interests of the person and the transparency of the agency’s decision-making procedures.
The following checklist provides a model for using substitute decision-making and/or procedural decision-making.
Checklist for alternative decision-making
What are the IPPs or complaints mechanisms that are relevant to the information handling conduct? – please see Appendix A.
- The person’s capacity
- Does the person have capacity to exercise their entitlements under the IPPs and the PPIP Act (including the complaints mechanism) in relation to the conduct? If not, please see ‘alternative decision-making’ below.
- Can the person express a view about the conduct at the present time?
- Has the person been given an opportunity to express their views or opinions about how their personal information is handled?
- How has the person been provided with support that is appropriate to their capacities and their cultural and linguistic background to enable them to be involved in decisions about the conduct?
- Has the person previously expressed a view or wish about the conduct of which the agency is aware or could reasonably make itself aware?
- Is there any reason why the person’s current wishes or previously expressed wishes cannot or should not be followed now?
- Is it possible to seek the views or consent of the person’s representative?
- If so, how was the person’s representative identified?
- Have the views or consent of the representative been considered?
- Have all other relevant criteria been assessed and considered before making a final decision about what happens to the person’s information?
Part 5. Contacts
For further information or inquiries about this guide, please contact:
NSW Information and Privacy Commission
GPO Box 7011
Sydney NSW 1235
Ph: 1800 472 679
Fax: (02) 8114 3756
TTY: (02) 9268 5522
The following organisations may be able to provide assistance in relation to the general issues in this guide.
Australian Centre for Disability Law
PO Box 989 Strawberry Hills NSW 2012
Ph: 02 8014 7000 or 1800 800 708
TTY: 1800 644 419
Intellectual Disability Rights Service
Suite 2C, 199 Regent Street
Redfern NSW 2010
Phone: 02 9318 0144
Freecall: 1800 666 611 (outside Sydney)
Fax: 02 9318 2887
Mental Health Information Service
Level 5, 80 William St
East Sydney NSW 2011
Phone: (02) 9339 6000
Mental Health Information Service Line: 1300 794 991
Fax: (02) 9339 6066
NSW Trustee and Guardian
Locked Bag 5115
Parramatta NSW 2124
Ph: 1300 364 103
The Privacy and Personal Information Protection Act 1998 (PPIP Act)
- Certain provisions in the PPIP Act have particular relevance for people with decision making disabilities.
- Many of the information protection principles (IPPs) require, expressly or implicitly, that a person has the capacity to understand and/or consent to the way an agency can collect, use or disclose their personal information.
- For example:
- IPP 2 (section 9) requires a person’s authorisation before personal information about that person can be collected from a third party.
- IPP 3 (section 10) requires a person to be made aware of certain matters before, or soon after, personal information is collected about them by an agency, including:
- the purposes for which the information is collected - the intended recipients of the information
- whether supply of the information is voluntary or required by law
- the existence of the right of access to and correction of the information.
- IPP 6 (section 13) requires a person to be informed about whether an agency holds personal information relating to them.
- IPP 10 (section 17) requires a person’s consent before an agency can use their personal information for a purpose other than the purpose for which the information was collected.
- IPP 11 (section 18) requires that a person has been made aware of a proposed disclosure, and/or that the agency has no reason to believe the person would object to proposed disclosure, and/or a person has expressly consented before an agency can disclose their non-sensitive personal information.
- IPP 12 (section 19) requires a person’s express consent before an agency can disclose their sensitive personal information.
The PPIP Act has a complaints mechanism that includes:
- the right to make a complaint to the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual
- the right to an internal review of conduct by the agency and an independent review by the Administrative Decisions Tribunal.