= material added since the date of the class concerning this topic
FOI Review, periodical ISSN 0817 3532, Edited by Rick Snell, Universtity of Tasmania,
Bygrave (doctoral thesis, 2000) 3.6. Data Subject Participation and Control states 'The fifth core principle of data protection laws is that persons should be able to participate in, and have a measure of influence over, the processing of data on them by other persons or organisations. This principle embraces what para 13 of the OECD Guidelines terms the "Individual Participation Principle" ...'
This is a serious problem for data subjects, as where an exemption applies, they usually have no direct way of knowing whether information held about them by the data user is incorrect, or is being misused. Their capacity to protect their interests under other IPPs, not just the loss of their right of access, is reduced (probably destroyed). Where personal information is being used in secret from the data subject, it is doubly important that it be accurate, because the data subject is unlikely to have any opportunity to 'put his side of the story'.
It is also a problem for data users, who may be using incorrect personal information without wishing to do so, and against their organisational interest in using correct information.
Explicit provisions for intermediary access are unusual in data protection or FOI laws. A limited and defective attempt at providing intermediary access is included in Australia's private sector NPPs (see NPP 6.3, and below), but not in the public sector IPPs (but see s41 of the Commonwealth FOI Act for a limited intermediary access provision).
Consideration must also be given to whether, as an incident of his ordinary powers, a Privacy Commissioner can effectively exercise intermediary access on behalf of a complaint where the data in question is exempt from access. There is a 'chicken and egg' problem here. In order for a person to credibly allege that their personal data is being used even though it is inaccurate (data quality principle) or that it is being used or disclosed for improper purposes (use/disclosure principles , the complainant would normally first seek access to his/her record to obtain the necessary evidence.
Where subject access is prevented, the data subject will have to attempt to provide credible secondary evidence of inaccuracy/misuse to the Commissioner. It would seem appropriate for Commissioners to exercise any discretions to commence investigations liberally in favour of complainants under such circumstances.
Correction of records raises further issues in these circumstances, dealt with below.
The NSW PPIPA likewise imports the exemptions (grounds for withholding) from the FOI Act 1989 (NSW) (PPIPA s20(5)). Similarly, while the Victorian IPA has detailed grounds for withholding set out in its Access Principle (IPP6), these are in effect overridden by s12 which defers to the FOI law (FOI Act 1982 (Vic)). There is as yet no experience under either the NSW or Victorian privacy laws as to how the Commissioners will handle access requests - presumably like the Commonwealth Commissioner by referring them to the established FOI processes. There is however a significant body of FOI law, including from the relevant NSW and Victorian Tribunals, dealing with the grounds for exemption, including the personal affairs/information exemptions, which is potentially relevant to future use of the private sector access right under the NPPs (see below under endorcement of access and correction).
However, see Siddha Yoga Foundation Ltd v Strang and Department of Immigration and Ethnic Affairs (unreported, Jenkinson J, 27 October 1995), the only Federal Court decision which has considered the meaning of "personal information" in the context of the freedom of information legislation ( discussed by Gunning ) deals with the facts in that case on the basis of whether names were 'personal information', not solely on the basis of whether the disclosure was unreasonable. This reflects the dominance in FOI law of the `openness and accountability' objective and the Courts' reluctance to cede too much `personal space' that would interfere with that objective. Government agencies, in contrast, have embraced the changed definition enthusiastically, often using the personal information exemption as an excuse to prevent scrutiny of public interest issues, even where the personal information relates to public servants in the performance of their work.
An agency can invoke the privacy exemption (s.41) without any consultation with the third party but if it wishes to grant access in whole or part to the information sought, and it decides that the third party might reasonably object, then it must give that person an opportunity to comment. (s27A) If the third party objects, the agency can still disclose, but only after the time limit for application for review by the AAT has expired (or any review appeal has been finalized). This process of consultation is known in the bureaucracy as `reverse FOI'.
(2) Where a person requests access to a document, this section does not apply in relation to the document so far as it contains personal information about the person.This provision appears to mean that the FOIA right of access to information (s11), insofar as it contains personal information about the person, cannot be limited by any previous secrecy provision. This will be so even if a previous secrecy provision is directed specifically at a class of information concerning personal information.
Insofar as subject access to personal information is concerned, the FOIA now effectively repeals all previous secrecy enactments. The affect of this change needs further assessment.
NSW Tribunal cases have also displayed an inconsistent approach to the `unreasonable disclosure' test, particularly to the issues of the public interest in efficient administration (Gliksman v Health Care Complaints Commission (2001) NSWADT 47) and of whether the motive of the applicant can be taken into account (Gilling v Hawkesbury Council (1999) NSWADT 94 and (1999) NSWADT 43; Humane Society v National Parks and Wildlife Services (2000) NSWADT 133; Saleam v Department of Community Services (2002) NSWADT 41 and Uddin v South Eastern Area Health Service (2002) NSWADT 228. The Victorian Tribunal has taken a different approach in holding that motive is a relevant factor (see for example Birrell v Department of State Development (2001) VCAT 258) (Acknowledgement to Peter Timmins for these case references).
Fear of granting subject access remains one of the private sector's main concerns about the new Act, although the general exemption for employee records has removed one of the most sensitive areas for subject access. But recruitment processes remain subject to the Act and one industry body has already tried to subvert the requirement to disclose attributed references. The Information Technology Contractors and Recruitment Association (ITCRA) submitted a draft Code of Practice to the Privacy Commissioner in 2002. (See www.itcra.com) Although the Code principles do not vary significantly from the NPPs (they must overall be at least the equivalent of the NP obligations), proposed guidance notes to principles 1 & 6 encourage member companies not to record the names of referees so as to avoid having to identify them when giving access to references. Following adverse criticism, ITCRA withdrew its Code application.
However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.'
6.3 If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.This falls short of being a right to intermediary access, only requiring the organisation to consider allowing intermediary access.
Part V - Access To And Correction Of Personal Data sets out a detailed regime. Part V provisions will prevail in the event of any inconsistency with DPP 6 (see s4). However, Part V must be interpreted in accord with the objects of the Ordinance (see B&W p156).
See generally B&W Chapter 9 for the details of access and correction procedures, particularly in relation to:
Berthold summarised the exemptions to both DPP 3 (use) and DPP 6 (access) as follows:
'Exemptions from both principles are accorded where their application to the data in question is likely to prejudice health, the prevention, preclusion or remedying of illegal or 'seriously improper conduct' (for example, disciplinary breaches), law enforcement, the collection of tax, and security, defence or international relations in respect of Hong Kong. Financial regulation is accorded some elaborate supplementary exemptions. Also exempted are data held by a news business solely for the purpose of a news activity.'
There are also access exceptions to some employment data (some staff succession plans and evaluative process data, and references), and data subject to professional privilege.
Can the Commissioner access an exempt document on a person's behalf?
However, access can occur if:
The problem is that some data protection laws tie the right of correction to the right of access, with the result that rights to seek correction (without access) are precluded in these situations:
IPP 7 does not contain any such limitation.
The Privacy Act s35 gives the Commissioner a function of acting as an intermediary where a person has requested an agency to amend a document, but that document is exempt from the applicant obtaining access to it, and the applicant has not otherwise obtained lawful access to it, so that the correction rights under s48 of the FOIA are inapplicable.
In such situations the Commissioner can inspect the (secret) documents on the applicant's behalf and, where appropriate, can recommend alteration or deletion, but can only require the agency to make additions, but not alterations or deletions, to the document. This extends the FOIA s51(2) addition right to exempt documents, but not the FOIA s51(1) correction right.
Conclusion: s35 may be too limited. Where a person is denied access to a document, the potential for it to do harm is at its greatest. It is surely a lesser evil to have the Commissioner order amendments in secret than to have an obvious incorrect and prejudicial record stand with merely some addition to it pointing out how wrong and prejudicial it is. The AAT has been very circumspect in ordering deletions or alterations, and the Commissioner could be expected to follow suit. The potential of IPP 8 (data quality) should not be overlooked here - the Commissioner could find that an agency that willfully refused to amend a record in the face of evidence of it not being accurate, up-to-date or complete was in breach of IPP8.
Archives legislation is also relevant. Arhives or reords laws may prevent an agency from actually changing or deleting information without keeping a historical record of the original.
This provision is unusual in requiring the individual to establish that the record is not accurate etc, rather than requiring the organisation to establish that it is.
There is no restriction on exempt private sector documents being amended, but the onus of proof provision would make this very difficult.
The draft Australian Casinos Association Privacy Code (see http://www.auscasinos.com/ps/PRIVACY_CODE_0403.pdf) improves on the correction principles in NPP6 in two ways - it applies the correction rights to non-Australian residents, and it provides for organizations to whom personal information has already been disclosed to be notified of any subsequent corrections.
However, in Part V - Access To And Correction Of Personal Data , s22 Data correction request states that 'where... (a) a copy of personal data has been supplied by a data user in compliance with a data access request; and (b) the ... data subject considers that the data are inaccurate, then that individual or relevant person, as the case may be, may ... request... correction to the data' (emphasis added). Correction appears to be contingent upon access.
Generally, s22 will prevail if there is any inconsistency between it and DPP 6. However, s22 must be interpreted in accordance with the purpose of the Ordinance (see the long title's reference to protection of privacy). It could be argued that DPP 6 is not inconsistent with s22, but adds to it, s22 merely covering the normal case of correction following access. There are no policy reasons which would seem to support the opposite conclusion.
The Privacy Act s41 gives the Commissioner a comprehensive discretion to decide not to investigate a complaint (s41(1)), or to defer an investigation (s41(3)), where a complainant has or could have commenced proceedings under the FOIA.
An applicant may seek an injunction under s98 from the Federal Court if an agency has contravened or proposes to contravene IPPs 6 or 7. In appropriate circumstances the Court could require access to a record to be given, or corrections to a record to be made. However, as injunctive remedies are discretionary, and particularly in light of the s41(6) requirement that the Court be satisfied that the agency has `refused or failed' to provide access or make a correction when it should have done so, it is unlikely that the Court would normally be willing to give injunctive relief where a person had not attempted to exercise rights available to them under the FOIA. There may, however, be situations of urgency where such relief was appropriate, effectively by-passing the rather lengthy procedures under the FOIA.
Commissioner's remedies (s52): If the Commissioner finds a complaint substantiated he may make a declaration (s52) that an agency
(ii) ...should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant' [or that] (iii) ... the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint;The main problem here is to determine under what circumstances complainants who have suffered some loss or damage because of the existence of an incorrect record may obtain some redress beyond mere correction of the record.
It is important to note that IPP7, unlike FOIA s48, does not define an applicant's right to seek correction of a record, but rather an agency's obligation to take reasonable steps to ensure that the record is accurate etc. It is a plausible argument that this obligation is independent of any request for correction by the subject of the record, and that therefore there may be a breach of IPP7 even where there is no refusal to correct a record. IPPs 8 & 9 would then impose additional obligations to take any reasonable steps to ensure accuracy etc before a record is used.
Alternatively, IPP7 could be interpreted as only imposing obligations to take reasonable steps where a correction etc is requested, with the positive obligation on an agency to take steps to ensure accuracy etc only arising under IPPs 8 & 9. In that case, only a failure to properly correct a record on request could breach IPP 7.
It probably doesn't matter which interpretation of IPP7 is correct, because any loss or damage which results from the use of an inaccurate etc record could be argues to be a breach of IPP 8 or 9. In either case, the result is that there will be situations where the use of an inaccurate record, whether or not it results from the failure of an agency to correct it on request, could lead to the Commissioner providing remedies under s52.
It may be possible in many cases for agencies to argue that they have taken steps that are reasonable in the circumstances to ensure that records are accurate etc, even if those records turn out to be incorrect. However, any agency which is put on notice by a complainant that a record is incorrect will need to exercise special care before making any use of that record, or run the risk of declarations by the Commissioner.
In short, the `Commissioners remedies' do provide a substantial extension of the remedies available under the FOIA where loss or damage results from the use of incorrect records by agencies.
Foucault and Rule both stress that `openness' can help legitimise surveillance and dull opposition. However, `openness' is also a precondition for effective opposition to the development of undesirable systems. So `openness' is both `efficient' and `critical'.
Bygrave (doctoral thesis, 2000) 3.6. Data Subject Participation and Control discusses this principles as part of the first main category a set of principles empowering data subjects. 'First, there are rules which aim at making persons aware of data-processing activities generally. The most important of these rules are those requiring data controllers to provide basic details of their processing of personal data to data protection authorities, coupled with a requirement that the latter store this information in a publicly accessible register.'
Unlike the registration of data users required under UK law, Asia-Pacific privacy laws (Hong Kong, New Zealand, Australia and Canada) have never required registration. Australian Federal agencies are however required to submit an annual return to the Privacy Commissioner.