Key developments during June and July 2017 in the area of Technology, Media and Telecommunications (TMT) are summarised as follows.

Meaning of “consent” to receiving notices by email

The Victorian Civil and Administrative Appeals Tribunal has rejected a submission that a tenant provided inferred consent to receive a notice to vacate by email from the landlord’s solicitors: Dimov v Cagorski (Residential Tenancies) [2017] VCAT 1055. The decision is of broad interest, given the fact that it involved an interpretation of the Electronic Transactions (Victoria) Act 2000, which is largely uniform as between all Australian jurisdictions. Section 8 of the Victorian Act provides that for a notice that must be in writing to be validly served by electronic communication, the recipient must have first consented to that form of communication. The landlord sought to infer consent on a number of bases, including the fact that it is “usual for solicitors to correspond by email”, that there had been correspondence between legal representatives in relation to separate issues concerning the tenancy, and that a signed “Authority to Act” provided the landlord with authority to gather information about the tenant. The Tribunal held that none of these factors could be equated with an express or implied consent for a Notice to Vacate being served by email.

Privacy rights, self-reporting and email addresses

On 31 August 2017, the New South Wales Civil and Administrative Tribunal found that the NSW Ombudsman had disclosed a student nurse’s name to a university without authority after the student lodged an anonymous complaint about the university providing her with a placement: CEU v Ombudsman [2017] NSWCATAD 267. The student complained that the university was putting public health at risk by providing her with a placement when she had been diagnosed with alcohol misuse. The Ombudsman had forwarded the email on to the university and although the complaint had been made anonymously, the student’s name was evident from her email address. The Tribunal concluded that the disclosure of the student’s name to the university did not satisfy the criteria for authorised disclosure under section 18 of the Privacy and Personal Information Protection Act 1998 (NSW). Although section 24 permits disclosure by an investigative agency if a failure to disclose might detrimentally affect the exercise of the agency’s complaint handling functions, the Tribunal considered the complaint could have been handled without revealing the student’s email address. Because the complainant had requested anonymity, there was no implied consent to disclosure.

Federal Court grants injunctions in respect of TV copyright infringements

On 1 September 2017, the Federal Court of Australia ordered 49 internet service providers to disable access to websites that streamed episodes of the television series “Wentworth”, on the basis that the websites were facilitating infringements of Foxtel's copyright in the program: Foxtel Management Pty Limited v TPG Internet Pty Ltd [2017] FCA 1041. The court noted the term "facilitating" is a broad concept and, as Nicholas J explained in Roadshow Films v Telstra in 2016, it can include "merely making it easier for users to ascertain the existence or whereabouts of other online locations that themselves infringe or facilitate the infringement of copyright". The injunctions were issued under section 115A of the Copyright Act 1968 which enables an injunction to be granted if the court is satisfied that a carriage service provider provides access to an online location outside Australia which has the primary purpose of infringing, or facilitating an infringement of, copyright. Each respondent was required to take reasonable steps within 15 days to disable access, and to redirect any communications to the disabled sites to a website maintained by Foxtel.

Court grants worldwide injunction against Twitter

On 28 September 2017, the New South Wales Supreme Court granted an injunction against Twitter, expressed as operating "everywhere in the world", preventing the publication of tweets containing the plaintiff's confidential information: X v Twitter [2017] NSWSC 1300. Justice Pembroke rejected Twitter's contention that it was not feasible for it to proactively monitor user content, noting that Twitter had elected not to appear at the hearing and no evidence to this effect had been placed before the court. He considered it appropriate that the court exercise its discretion to grant a worldwide order notwithstanding that compliance could not necessarily be guaranteed overseas – proof of the means of ensuring compliance in foreign jurisdictions was not a pre-requisite to the grant of the injunction. Any reservations about the utility of the order were outweighed, in his honour's opinion, by the unconscionability of the account holder's conduct, the commercial interest of twitter in complying with the law and the public interest in demonstrating that wrongful conduct would be addressed.

New statutory privacy offence in the ACT

On 2 August 2017, the Crimes (Invasion of Privacy) Amendment Bill 2017 was introduced into the Australian Capital Territory Legislative Assembly. The Bill foreshadows amendments which address a number of criminal justice legislative issues which have arisen through advancements in technology and associated cultural change. Principally, the Bill creates two new offences, namely the non-consensual distribution and the threat of distribution of intimate images. The legislation incorporates the National Statement of Principles Relating to the Criminalisation of the Non-Consensual Sharing of Intimate Images developed by the cross-jurisdictional National Cybercrime Working Group, established under the Law, Crime and Community Safety Council in 2010. The new provisions will be inserted as Part 3A of the Crimes Act 1900, under the heading “Invasion of Privacy”.

Parliamentary Committee endorses expanded Queensland surveillance powers

On 11 August 2017, the Queensland Legal Affairs and Safety Committee issued a report recommending the adoption of the Counter-Terrorism and Other Legislation Amendment Bill 2017. If passed, the Bill would increase law enforcement surveillance powers through amendments to the Public Safety Preservation Act 1986 (Qld), the Police Powers and Responsibilities Act 2000 (Qld) and the Terrorism (Preventative Detention) Act 2005 (Qld). Changes would include the power to search mobile phones and tablet computers, the power to take a person’s biometric information in order to establish their identity, facilitating the process for obtaining authority to install and use tracking devices, and replacing the “imminence test” for the issue of preventive detention orders with a “capability threshold test”.

Amendments to security legislation Bill

We have previously reported that on 9 November 2016, the Telecommunications and Other Legislation Amendment Bill 2016 was introduced in the Senate. If enacted, the Bill would amend the Telecommunications Act 1997, the Telecommunications (Interception and Access) Act 1979, the Administrative Decisions (Judicial Review) Act 1977 and the Australian Security Intelligence Organisations Act 1979. The objective is to establish a regulatory framework to manage national security risks of espionage, sabotage and foreign interference in Australia's telecommunications networks and facilities. The Bill was referred to the Parliamentary Joint Committee on Intelligence and Security which subsequently reported back on 30 June 2017, this in turn resulting in amendments being introduced in the Senate, renamed the Telecommunications and Other Legislation Amendment Bill 2017, on 14 August 2017. On the same day, the Commonwealth Attorney-General released a revised Explanatory Memorandum to take account of amendments proposed by the Senate, and accordingly this document supersedes the original memorandum tabled in November 2016.

Clarification of scope of Privacy Re-Identification Bill

On 11 September 2017, the Commonwealth Attorney-General issued an addendum to the Explanatory Memorandum for the Privacy Amendment (Re-Identification Offence) Bill 2016. We have previously reported that the Bill, which would create a retrospective criminal offence for re-identifying de-identified personal information, was introduced on 12 October 2016 and referred to the Senate Legal and Constitutional Affairs Legislation Committee on 7 February 2017. The addendum clarifies the intended operation of various sections. In particular, it makes it clearer that the Act extends to employees and contractors of universities (section 16CA); that an exemption applies to contractors engaged by an agency in connection with data-matching and similar data projects (section 16D); that an offence is only committed if the de-identification is intentional (section 16E); and that it is anticipated that only a small number of entities will require exemptions under section 16G in view of the narrow scope of the proposed offences and civil penalties in sections 16D, 16E and 16F.

Healthcare Identifier Regulation rectifies drafting oversight

On 11 September 2017, the Healthcare Identifiers Amendment (Healthcare Identifiers of Healthcare Providers) Regulation 2017 was introduced. The Healthcare Identifiers Act 2010 (Cth) implements a national system for assigning unique identifiers to healthcare recipients, individual healthcare providers and healthcare provider organisations. The purpose of the Regulation is to correct an unintentional omission in the Act arising out of amendments passed in 2015. The Regulation restores the express right of healthcare providers to use their own or disclose another healthcare provider’s identifier for the purpose of communicating or managing health information as part of the provision of healthcare services. Being a Regulation, this is something in the nature of an interim measure, but it is intended that the Act will be formally amended at a later date.

Increased usage rights for ABF information

On 12 September 2017, the Australian Border Force Amendment (Protected Information) Bill 2017 was introduced in the Senate after passing through the House of Representatives. The Bill amends the definition of “protected information” so that only specific kinds of information are covered by the secrecy and disclosure provisions of the Act. The Bill also removes the current requirement in the Australian Border Force (Secrecy and Disclosure) Rule 2015 for bodies to which classes of information can be disclosed to be prescribed, and it adds new “permitted purposes” for which personal information contained within protected information can be disclosed under the Act. Personal information contained in “protected information” (now re-named “Immigration and Border Protection information”) can now be disclosed for additional purposes connected with the inter-country adoption of a child, national security purposes and responding to requests regarding missing persons.

New guidance on de-identifying personal information

On 18 September 2017, the Privacy Commissioner released the De-Identification Decision-Making Framework which provides advice to private and public sector entities about the process of de-identifying personal information. Entities subject to the Australian Privacy Principles are required to take reasonable steps to destroy or de-identify personal information under their control if they no longer need that information for a legitimate purpose and the entity is not required by a law or court/tribunal order to retain the information. Entities may also wish to de-identify personal information so that the information can be released and put to new uses. The new Framework emphasises that de-identification is a process of risk-management and there will always be some risks associated with using useful de-identified data. The Framework refers to three "core de-identification activities", which comprise a total of 10 separate components. It is designed to assist entities identify and manage the risks associated with using de-identified data, depending on the relevant "data situation" which an entity faces.

Exposure draft practice note on outsourcing for tax practitioners

On 28 August 2017, the Tax Practitioners Board issued an exposure draft practice note providing guidance to registered tax practitioners in understanding their obligations under the Code of Professional Conduct in relation to the use of outsourcing and offshoring. The Code, which is contained in section 30-10 of the Tax Agent Services Act 2009 (Cth), does not specifically deal with outsourcing or offshoring, but the practice note identifies a number of existing obligations under the Code which may be of relevance. Existing obligations include those relating to disclosure to clients, maintaining professional standards and maintaining adequate supervision and control. The practice note emphasises that obligations under the code are separate from, and additional to, constraints placed on the use, storage and disclosure of personal information by the Australian Privacy Principles.

Inadvertent failure to provide complete health information is no defence

On 9 August 2017, the Victorian Civil and Administrative Appeals Tribunal held that a doctor who inadvertently overlooked some documents when responding to a request from a patent for a copy of his health information breached section 29 of the Health Records Act 2001 (Vic): Renly v Murdock [2017] VCAT 1197. Section 29 requires health information to be provided to an individual upon request. The complainant had requested clinical notes and medical reports, and it transpired that when responding, the respondent omitted certain information. The Tribunal emphasised that section 35 of the Act deems a failure to provide information to be a “refusal”, and accordingly section 29 had been breached. The respondent’s intentions were not relevant. The applicant was awarded $2,000 as damages.

Compliance with “openness principle” considered by VCAT

On 23 August 2017, the Victorian Civil and Administrative Appeals Tribunal found that an insurance company had not breached its obligation under Health Privacy Principle 5.1 to advise individuals how to access their health information. The Tribunal also found that the insurer had complied with HPP 5.2 which requires it to take reasonable steps to advise individuals what health information is being held: Kitson v Avant Mutual Group Ltd [2017] VCAT 1305. The complainant asserted that the insurer’s privacy policy was deficient because by simply stating that requests for access should be directed to its privacy officer, it did not (in the words of HPP 5.1) set out the “steps” involved in “obtaining” access. The Tribunal concluded, however, that when that paragraph was read in the context of the broader policy, adequate information regarding the process had been provided. The complainant also asserted that the insurer had failed to comply with a request under HPP 5.2(a)(i) as to “whether” it held any health information when the insurer simply forwarded him a list of documents without specifying whether or not those documents constituted health information In this regard, the Tribunal was satisfied that, given the history of exchanges between the two parties and the extent of the complainant’s existing knowledge of information held by the insurer, the response was “reasonable” in the circumstances.

Whether sex abuse claims constitute “health information” about the alleged perpetrator On 8 September 2017, the Victorian Civil and Administrative Appeals ruled that information in a psychiatrist’s clinical notes regarding a patient’s allegations of sexual abuse by his father did not constitute “health information” about the father: WOU v IVA [2017] VCAT 1411. The father considered the information was inaccurate because he denied the allegations. He was seeking an order under Health Privacy Principle 6.6 to require the respondent to associate a written statement which he had prepared with the son's records. The Tribunal found that whilst the allegations were “personal information” about the father, they did not fall within the definition of “health information” about the father for the purposes of the Health Records Act 2001 (Vic). The Tribunal rejected the father’s contention that the notes constituted information or an opinion about his mental or psychological health, noting that there was nothing in the information provided by the patient or collected by the psychiatrist which constituted an opinion about the father’s health or medical condition.