Privacy laws generally include a requirement that personal data must not be collected unless it is relevant, that the data collected must not be excessive, and that the data must be collected from the individual themselves wherever practicable.
But many forms include an authorisation for the organisation to collect personal data about you from other people and organisations such as employers, doctors and government agencies, some of which is irrelevant.
This document provides guidance on what you should do when you’re confronted by demands that you provide an organisation with excessive authorisation.
If you just want the summary, you can skip the explanations and go to the Action Points.
Two companion documents deal with the following related topics:
- if you’re concerned about unreasonable demands for data, see ‘Data Collection’
- if you’re concerned about demands for copies of ‘id’, see the ‘Identity Scanning’
Why Do Organisations Need Personal Data?
The companion paper on ‘Data Collection’ includes a section on this general question.
Often organisations cannot realistically justify the need to collect personal data from elsewhere.
However, there are many circumstances in which organisations do need data about you, and in some cases it needs to come from someone other than yourself. Examples include:
- where you don’t have the data, e.g. medical records
- where you have a self-interest in providing inaccurate information, and the organisation reasonably wants to be sure this isn’t the case, e.g. your status with a registration board
- where the law effectively requires the organisation to collect the data, but does not actually authorise the organisation to do so
In such circumstances, you are likely to need to sign some form of words that provides the organisation with an appropriate authorisation.
This document is about what you should do when an organisation demands that you sign a statement that you think is unreasonable.
Examples of Unfair Wording in Authorisations
1. The statement that you are asked to sign may authorise the organisation to gather data from other organisations that are irrelevant.
WRONG: “from any organisation” or “from all medical practitioners”
MAYBE REASONABLE: relevant named organisations, or relevant defined categories (“all medical practitioners who are currently treating you for the conditions disclosed in this application”)
2. The statement may give the organisation authority that extends to data that is irrelevant.
WRONG: “all data” or “any information”
MAYBE REASONABLE: “data reasonably necessary for the consideration of this application”, “data relevant to the conditions disclosed in this application”
3. The statement may give the organisation too broad an authority to use the data
WRONG: “authorises use of the data for any purpose”, or “authorises use of the data” (unqualified, and hence wide open)
MAYBE REASONABLE: “authorises the collection of [specific] data for the purposes of considering this application, and of conducting any relationship between you and the organisation”
4. The statement may give the organisation too broad an authority to disclose the data
WRONG: “authorises the sharing of the information” or “authorises the sharing of the information with the organisation’s business partners”
MAYBE REASONABLE: “authorises the disclosure of the information only as necessary for the purposes of this application, and provided that the data is at all times subject to protections equivalent to those applying in the jurisdiction applying to this application”
Action Points
1. Read the statement
The statement that an organisation puts in front of you may contain a lot of ‘small print’. Such text is generally written by lawyers, and it’s (often intentionally) complicated and boring; but unfortunately it’s important to read it. Take your time, read carefully the parts that authorise the organisation to collect personal data from somewhere else and to use and disclose it. Ask questions about things you don’t understand.
2. Get a copy of the statement that you can amend
It is almost always impossible to do this if you are using a web-site. So in such cases you need to find a way to get a printed copy that you can write on (or amend in a word processor).
3. Amend it to make it reasonable.
Focus on the things that really matter to you.
Look for the minimum change(s) that will satisfy your concerns and that you think provides the organisation with what it reasonably needs.
For example:
- inserting the word ‘relevant’ in front of the word ‘information’ may make a big difference to the meaning
- inserting such words as ‘reasonable’ or ‘reasonably necessary’ can convert an excessive authority into one that you’re prepared to sign
- see the examples in the previous section
Initial the changes you make.
Keep a copy of the amended document that you sign.
Submit it.
Sometimes such changes are accepted, or overlooked.
4. Negotiate
If you’re told that the change is unacceptable, be polite, and ask why the amended words don’t give the organisation the authority it needs. Ask for specific examples of things that they may need to do that they can’t do if they accept your amended wording.
Allow for the possibility that the organisation may have a point.
Be prepared to give ground in order to win ground.
If the organisation won’t give in and you believe they’re being unreasonable, tell them that “I want a formal internal review by a senior manager, before I complain officially to the regulator”.
Be vague about which regulator you will complain to. Let them imagine whichever regulator they’re most concerned about.
5. Negotiate Harder
If they refuse to pass it up to a manager, write down the date and time, and the name of the person who did the refusing, and preferably the words they used. (They look bad in the eyes of a regulator if they had an opportunity to review the decision and failed to do so).
If a manager conducts a review, patiently explain your concern – remember that it may be the first time the manager has heard about the problem. The manager needs to be able to understand that you are both concerned and rational.
6. Take it to a Regulator
If the organisation still unreasonably demands an excessive authorisation, write down the reasons you are concerned about it.
If your reasons make sense once you see them on paper, consider sending a letter of complaint to the relevant regulator or oversight agency, such as a Privacy Commissioner.
There are resources on this web-site that can help you work out who to write to, and how to prepare the complaint
7. Take it to the Media
Some regulators are effective; but all regulators have limited powers, many have very limited resources, and some have very little real commitment to actually helping people. So sometimes the most effective approach is to get the media involved in the matter.
A Brief Word About Credit Data
When you apply for credit, Part IIIA of the Privacy Act authorises the company to access data about you that is held by credit bureaux.
It is meaningless for the organisation to require you to ‘authorise’ this, because statute law overrides anything you might have to say about the matter.
If the statement includes such a statement, you can cross it out. But it’s fair to the company to then write in and initial something like ‘I understand that, because I am applying for credit, you have legal authority to access my data at the credit bureau’.