9. Enforcement and implementation of IPPs
Graham Greenleaf and Nigel Waters; revised by GG 23 /3/2002,
Nigel Waters 14 May 2002 and 1/6/2003; GG 11/6/03
= required reading
= material added since the date of the class concerning this topic
What types of remedies for complainants, and powers of a privacy Commissioner,
provide the most fair, effective, and cost-effective way by which to ensure
compliance with IPPs by data users, public confidence, and redress for those
whose privacy has been adversely affected?
Here are some of the things that it might be desirable for privacy legislation
to achieve by way of enforcement and remedies:
Australian, Hong Kong and New Zealand privacy laws, like their European
and Canadian counterparts (but unlike the USA and some other Asia-Pacific
jurisdictions like Japan, Taiwan and Korea) is based to a large extent around
the role of a privacy or data protection Commissioner.
- A low-cost and non-public way for complainants to obtain redress for
breaches by administrative procedures;
- A reasonable range of remedies, possibly including changes to records,
compensatory damages, injunctions and other remedies.
- Judicial review of such administrative action action for procedural
- Given the wide scope and uncertain meaning of IPPs, the ability of
either party to seek interpretation by the Courts of the IPPs, by way of
Factors contributing to a Commissioner's independence include the method
of appointment, grounds for dismissal, reporting lines, and control over
9.2.1. General references on Commissioner's roles
The federal Commissioner is effectively appointed by the Attorney-General
and remains under the AGs Department for budgeting and reporting. Separation
of the Office of the Privacy Commissioner from the Human Rights Commission
in the mid 1990's brought both advantages and disadvantages in terms of independence,
but overall had little effect on the practical inability of the Commissioner
to be too critical of the government of the day. A parliamentary committee
suggested making the Commissioner an Officer of Parliament (like the Auditor
General and Ombudsman) but without guaranteed funding the then Commissioner
preferred to stay within the mainstream bureaucracy. The Commissioner can
be dismissed for bankruptcy, physical or mental incapacity, outside employment
or misbehaviour (undefined but precedents in other areas). The Commissioner
does have a fairly high degree of independence in terms of his ability to
report, including directly to Parliament, and to make public statements,
but in practice this freedom is constrained by the necessity to keep on reasonable
terms with the government of the day to protect the budget of the office.
The NSW and Victorian Commissioners are in a similar position - appointed
by the government for fixed terms, but dependent on a government department
for funding and other support. The Victorian Commissioner automatically
ceases to hold office if declared bankrupt or is convicted, but can otherwise
only be suspended and dismissed with the approval of Parliament. Under
the NSW PPIPA, the Commissioner, like his federal counterpart, can be removed
by the government for undefined misbehaviour or incompetence. But the practical
limits of independence may be illustrated by the resignation of the NSW Commissioner
in May 2003. The superficial reason for this was a conflict of interest
in the handling of a complaint in another jurisdiction, but the real reason
is widely understood to have been repeated public falling out between the
Commissioner and the government over both privacy and anti-discrimination
issues, leading the Commissioner to find his position untenable without the
confidence of the Premier.
The Commissioner can only 'be removed from office by the Chief Executive
with the approval by resolution of the Legislative Council on the ground
of- (i) inability to perform the functions of his office; or (ii) misbehaviour.
' ( html s5(5)(b)
See Berthold & Wacks p179
9.2.3. Powers and functions
Section 27 limits the Federal Commissioner's functions to those specified.
Also, these functions do not of themselves carry enforcement powers (which
are limited to selected functions discussed below). However, the general
functions were always wide and have been extended - one of the successes
of the political battles over the TFN matching extension and associated parliamentary
inquiries. Note the following extended powers:
Australian Federal Commissioner
The Commissioner's functions were further extended in 1993 in relation to
National Health Act guidelines (s.27(1)(pa)) and in 2000 in relation to the
added private sector jurisdiction - s.27 (1)(aa)-(ad) and (ea)
- (b) to examine enactments - changed from only on request from Minister
to `with or without request',
- (e) to prepare [advisory] guidelines for agencies and organisations
for the avoidance of acts and practices which may have `any adverse effects
on privacy', which was changed from only `interferences with privacy' (the
technical breaches of the various statutory obligations under the Act) ;
see for the private sector the amended function (e) replaces function (n)
which previously gave the Commissioner an role in promoting the OECD Guidelines
is now redundant with the privte sector extension in 2000 - this (n) has
been deleted in the private sector amendments;
- (k) to examine proposals for data matching/linkage; this was changed
to be either with or without a request, and to cover all in all cases, not
limited to ''any other adverse effects' as well as 'interferences with privacy'
- (r) a new general advisory role added in 1991 - again with or without
- In (b) and (k), the roles are given the additional objective of is
even to 'ensure' adverse effects are minimised.
The effectiveness of all these functions and roles depends on the Commissioner's
willingness to perform them, the resources available, and the methods he
or she chooses to publicise the outcomes. Some of the functions expressly
require or allow reporting to the Minister' (see (c),(f) & (r)), and
sections 30-34 deal expressly with the manner of reporting on some functions.
Federal Commissioners to date have varied in their approach to public reporting
of their various functions - sometimes issuing a specific report, at other
times leaving comment to the Annual Report, and in some cases not publicly
reporting at all.
Contrast the Privacy Committee Act 1975 (NSW) (now repealed),
where the Committee had general power to investigate and make recommendations
concerning any interference with privacy (undefined) - but no powers of enforcement
(s.36 - specifically (l)).
This general role is now largely retained by the Privacy Commissioner
in the NSW PPIPA 1998.
The first NSW Commissioner made use of his power to make a special report
to Parliament (s.65) on two occasions - one involving a local council which
refused to act on the Commissioner's recommendation, and the second criticizing
a Minister over his actions in relation to an alleged incident at a school
(see (2002) 9(6) PLPR 109).
Information Privacy Act 2000
s.58 gives the State Privacy Commissioner perhaps the most extensive and
least constrained set of functions, including, like the NSW Act, an express
role to make public statements.
and powers of Commissioner
In addition to powers to supervise the operation of the DPPs, the Commissioner
has functions allowing him to:
See Berthold & Wacks p180-1
- Examine proposed legislation;
- Monitor technical developments
9.2.4. Statutory guidance on exercise of functions
Privacy legislation often requires Commissioners to have regard to certain
matters when exercising their powers and functions.
Section 29 of the Privacy Act 1988 gives the Australian federal Commissioner
a list of such matters, including government and business `efficiency'; the
desirability of a free flow of information (all of which can compete with
privacy) and international obligations (some of which can support privacy
and others of which may compete). The Victorian Act (s.60) refers the Commissioner
back to the objects clause (s.5) which contains a similar free flow of information
interest to be balanced. The NSW Act appears to contain no such `constraints'.
Remedies in data protection legislation are usually available only as a
result of a breach of IPPs, even though some legislation uses more general
descriptions such as `interferences with privacy'.
9.3.1. Australia Federal - `Interferences with privacy'
The Privacy Act 1988 does not contain any sweeping prohibition
on breaches of a person's privacy.
- s16 simply says agencies may not breach the IPPs.
<IMG ALIGN=MIDDLE SRC="http://www2.austlii.edu.au/itlaw/required.gif">
s13 Interferences with privacy
- s13 makes clear the limited nature of `interferences with privacy'
under the Privacy Act . There is a consistent pattern - there is always
(a) a set of principles controlling personal information (eg the IPPs,
TFN guidelines, Credit Reporting Code etc; also, in Crimes Act, the spent
convictions provisions); (b) which can usually only be breached by specific
parties (eg agencies, required TFN users, credit providers); (c) the
enforcement powers and remedies in the Act are limited to these contexts.
Section 16 makes a breach of one of these sets of principles an `interference
with privacy', and certain remedies then flow from this.
s13A Interferences with privacy by organisations
- applies a similar definition of 'interferences with privacy' to private
sector organisations, to include breaches of approved privacy codes as well
as the NPPs.
SS 18 & 18 B impose similar obligations on TFN recipients and credit
providers and agencies in respect of the relevant rules.
now imposes a similar obligation on `organisations' in relation to the National
Privacy Principles or a relevant approved Code of Practice . These provisions
are significant as they impose on agencies a legal duty not to breach the
IPPs. Among other things, a breach of this section would be the basis on
which to seek an
injunction against an agency under s98
and on which complaints can be founded.
Note that the New Zealand Privacy Act 1993 introduces another element
- an action is only an `interference with privacy' if it breaches an IPP
(or Code etc) AND has caused a loss, damage, injury etc (s.66). The effect
of this is to prevent the Commissioner from even investigating a complaint
if the complainant cannot show some detriment at the outset. Under the Australian
laws, detriment would have a bearing on the remedy awarded, but is not a
test to be passed at such an early stage.
The Victorian IPA similarly defines `interferences with privacy' as an
act or practice contrary to an IPP (or applicable Code) - s.14(3). The NSW
PPIPA takes a more direct approach - agencies are required to comply with
the IPPs (s.21(1) and an contravention is both reviewable conduct under Part
V (s.21(2)) and grounds for complaint to the Privacy Commissioner (s.45(2).
s4 Data protection
'A data user shall not do an act, or engage in a practice, that contravenes
a data protection principle unless the act or practice, as the case may be,
is required or permitted under this Ordinance.'
The Hong Kong Commissioner does not have powers to investigate 'non-DPP'
complaints (see s38 requiring reasonable grounds for believing there has
been a contravention of the Ordinance).
Complainants must be `affected' individuals, although there is a conditional
provision for representative complaints by one of a class of similarly affected
On receipt of a complaint, the Commissioner can, and often does, initiate
preliminary inquiries under s.42 to determine if he/she has the power to investigate
further and if he/she wishes to exercise their discretion to do so.
The Commissioner may investigate a possible `interference' on his
own initiative, (ie; without a complaint) (
). This power has been exercised regularly by successive federal Commissioners
in relation to matters that are brought to light by media reports or by pubic
interest organizations, or referred by Ministers or other politicians.
Privacy Act 1988
Complaint investigations under s36
(1) The Commissioner must investigate a complaint from one or more
individuals alleging an 'interference with privacy' (s.40), but subject
to some conditions, and to certain exceptions in s41. One of the conditions
is that the complainant should have tried to resolve the matter with the
respondent agency or organization in the first instance (and in the case
of private sector organizations, with any relevant approved Code adjudicator).
This is a particularly valuable provision both because individuals will
often not be aware that they have been affected (eg: by breaches of security),
and because the actual damage to any one individual may not be significant
enough for them to be prepared for the investment of time and effort required
to pursue a complaint. Where a privacy breach has affected many people only
slightly, the own-motion investigation is particularly useful.
There have been a number of high profile `own motion' investigations
over the last decade, many of which have been published as `stand-alone'
reports, although there is no comprehensive index of these available - details
would have be extracted from the successive annual reports. Some examples
Some `own motion' investigations are the subject of media releases from the
Commissioner. One 2001 example is:
- Bulk mail-out errors by several agencies in the early 1990's
- Disclosure of social security information to Police in context of
a demonstration against arms sales in Canberra ('Aidex').
- Ten such investigations reported in the 200-2001 Annual Report, including:
- Disclosure of ABN information by the Australian Taxation Office
- see Nigel Waters
'GST brings taxing times for privacy'
(2000) 7 PLPR 37
- Improper disposal of records by an ACT school and four financial
- Two cases of disclosure of client information by Centrelink and
one by the Department of Family and Community Services
If there is an industry code in existence, with a separate Code complaint
handling machinery covering the organization complained about (eg the
General Insurance Information Privacy Code
), a complainant must take their complaint first to the code adjudicator,
and cannot ask the Privacy Commissioner to investigate it initially. If
no industry code applies (or if a Code has no complaint handling component
- eg: the
Queensland Clubs Code
), then a complainant can go directly to the Privacy Commissioner to request
an investigation. In this case, the Commissioner's investigative powers and
remedies are essentially the same as in relation to Commonwealth agencies.
If a Code under Part IIIAA includes a complaint handling mechanism, it must
meet rigorous standards laid down in the Act itself, issued in http://scaleplus.law.gov.au/html/numrul/18/9204/top.htmPrivacy
(Private Sector) Regulations 2001 which set out in Schedule 1 'Prescribed
standards for procedures relating to complaints', and in the Commissioner's
http://www.privacy.gov.au/publications/cdg_01.html Code Development Guidelines,
final version issued in September 2001.
As a result of a last minute amendment, individuals can ask the Privacy
Commissioner to review a decision of a Code adjudicator (
See G Greenleaf 'Private sector privacy: Problems of interpretation' 
CyberLRes 3 for the following aspects of enforcement in relation to the
Ironically, Code Adjudicators are subject to a much more rigorous reporting
requirement than the Commissioner. The Prescribed Standards require written
`anonymised' reports of all determinations (naming neither complainant nor
respondent) to be made publicly available, and the Guidelines require a very
detailed annual report to be submitted to the Commissioner, who is required
by the Act (s.97(2A)) to include details of the `number, nature and outcomes'
of complaints made under Codes. This requirement may result in fuller reporting
by the Commissioner of his own complaint handling activity - he has recently
commenced a series of anonymised
on the OFPC Web site.
See Berthold & Wacks Chapter 11
Both the NSW and Victorian Privacy Commissioners have powers to investigate,
conciliate and report on complaints concerning any aspect of an individual's
privacy (but not to make determinations). The Victorian Commissioner only
has this role in relation to the public sector, but the NSW Commissioner
can exercise it in relation to both the public and private sectors (the most
important survival of the powers of the previous NSW Privacy Committee).
The Commonwealth Commissioner does not have power to investigate complaints
or make recommendations on individual complaints which are outside the scope
of an 'interference with privacy', which means a breach of one of the sets
of prescribed rules listed above.
There is a great deal of variation in the powers of Commissioners to provide
remedies to complainants.
gives the Commissioner broad powers concerning determinations of complaints,
including power to award damages. Note (b)(ii) allows him/her to order reasonable
acts to redress complaint; and (b)(iii) provides for compensation (including
(1A) injury to feelings ; (3) expenses; and (3B) corrections and additions
The Commissioner can only conciliate complaints (
), but agencies are required to make decisions about remedies (including
the option of compensation) after conducting internal reviews of complaints
An agency's decisions can be reviewed by the Administrative Decisions
Tribunal, which has broad powers to award remedies, including compensation
capped at $40,000 (
Complaint investigation and remedies
in 'A new era for public sector privacy in NSW' (1999) 5 PLPR 130
Under the Victorian IPA, the roles of the Commissioner (ss.25-37) and the
Civil and Administrative Tribunal (ss.38-43) in relation to complaints are
very similar to their counterparts in NSW, except that there is no statutory
requirement for internal review, and the Tribunal can award compensation
of up to $100,000 (s.43). See later concerning appeals.
The Victorian Commissioner can issue compliance notices (s.44) for serious
and flagrant, or repeated, breaches of the IPPs (or a Code), and it is an
offence not to comply with a compliance notice (s.48) although government
agencies would attract only a modest fine.
The Commissioner can issue
s50 Enforcement notices
'directing the data user to take such steps as are specified in the notice
to remedy the contravention'. Failure to comply is a criminal offence (s64(7)).
The Commissioner has power to issue enforcement notices in cases of
urgency even before an investigation is completed (s50(8)).
The Commissioner has no power to award damages. The complainant must
proceed before a Court under
for compensation from a data user for a breach of the Ordinance.
9.5.2. Method of resolution and reporting of complaints
Irrespective of what formal powers they have, there is variation in how
Commissioners exercise them, particularly in relation to the extent to which
they use their formal powers to make final 'determinations ' (Aust) or 'final
opinions' (NZ) as to whether there has been a breach of IPPs (or other provisions
of the Acts).
The alternative is to resolve complaints informally, by mediation, without
ever making a final finding. Questions then arise as to the extent to which
such informal resolutions of complaints are publicised adequately,
Rasa': Ten Reasons Why Australian Privacy Law Does Not Exist
-  UNSWLJ 4
In contrast to NZ and HK, in 13 years (1988-2001) the Australian Federal
Commissioner has only made two s52 determinations - both against Commonwealth
In over a decade the Federal Privacy Commissioner has made only these two
formal determinations of complaints concerning the IPPs, and none concerning
the other jurisdictions including credit reporting under Part IIIA or the
Tax File Number Guidelines.
- Determination: Secretary, Department of Defence
1 PLPR 152
- Dept breached IPPs 4 and 11; Dept requested formal determination,
so it could account for paying $5,000 compensation.
Determination: Minister for Administrative Services
1 PLPR 170
- Commissioner couldn't decide there was any breach - either Dept
or Minister leaked, but no evidence
Note: In 2000-2001 the Commissioner's office started the formal investigation
of 194 complaints (61 in 99-2000, 131 in 98-99), and 'closed' (ie settled
or dismissed) 133 complaints (103 in 99-00, 91 in 98-99) (none resulted in
formal determinations under s52) (Annual Reports).
Why are there no s52 determinations?
Does the fact that no complainants insisted on a formal s52 determination
mean that all sets of complainants and respondents in settled cases were
satisfied with the result? At least in relation to complainants, there are
reasons why it is not possible to conclude this. If the Commissioner suggests
to a complainant that a matter might be settled on particular terms, then
even if the complainant disagrees what would be the point in their insisting
that the Commissioner proceed to a formal s52 determination if they cannot
turn their disagreement into an appeal? They may as well agree and be done
with it. As a result, there may be an unknown 'dark figure' of dissatisfied
complainants due to the Act's structural defect in not allowing appeals against
the Commissioner's decisions. If so, a side effect is that we see even fewer
reasoned s52 determinations than we otherwise might expect, and the development
of privacy law is thus reduced.
Unfortunately, successive Commissioners have not systematically reported
on complaint settlements. The summaries of settled complaints in the Commissioner's
Annual Reports are very uninformative. In effect, there are few known interpretations
/ precedents to inform anyone what is possible.
Here are a few known examples of settled complaints from earlier years:
In 2000-2001 the Commissioner found no breach of the Act in 47% of cases
(38% in 99-00) and closed another 23% on the basis that they had been adequately
dealt with - 9 of these involving compensation payments amounting to $52,000
in total (in 99-00 44% adequately dealt with including 7 cases involving
compensation totalling $7000 and in 98-99 7 cases totalling $18,000).
`Casenote - Complaint: Department of Social Security'
(1994) Aust. Privacy Commissioner (1994) 1 PLPR 190; DSS requested Privacy
Commissioner to investigate; data matching program (not under Act) was in
breach of IPP 8 (failure to take reasonable steps before using...).
Casenote - Complaint against the Minister for Housing (NSW) and others
(1994) Aust. Privacy Commissioner (1994) 1 PLPR 153; This breach of s18N
was settled - but for a public apology, + x$1000 compensation for hurt feelings,
and some significant interpretation of the Act . This was the first settled
complaint reported, and shows how valuable they can be.
As a result of this limited reporting, potential complainants or respondents
(or their advisers) have precious little information about how the Act is
interpreted from prior complaints experience. The overall impression that
is left by thirteen years operation of the Privacy Act is that, while
Commissioners are interested in doing justice to individual complainants,
the use of the complaints function of the Act to develop privacy law and
to guide parties to future complaints is a matter which has the lowest possible
However, in 2002, the Commissioner commenced a welcome series of anonymised
on the OFPC Website and these could progressively build up into a useful
The Australian Federal Privacy Commissioner has decided that it is only
in 'rare circumstances' that he will consider identifying a company that
is the subject of a privacy complaint. Information Sheet 13
The Privacy Commissioner's Approach to Promoting Compliance with the Privacy
states that the normal anonymised approach will be as follows:
"The Office includes in its annual report some cases studies
on complaints it has handled and investigations it has carried out. These
are reported in summary form and do not generally identify the complainant
or respondent. With the new private sector provisions, the Office plans
to add to this approach by publishing more frequent, de-identified case notes
on complaints it has handled (see above). The aim of these will be to help
organisations and the community understand the way the Office applies the
provisions of the Act and, where relevant, the provisions of approved codes."
The circumstances where respondents (companies etc) will be named are as
"On occasion there may be some merit in making public the circumstances
of a particular complaint or investigation. This may be, for example, where
there is already publicity around a particular matter before it reaches the
Office or where, despite all the other approaches the Office has taken, an
organisation continues to engage in behaviour that constitutes an interference
with privacy. This would clearly be a serious step which could have commercial
consequences for the organisation concerned. It would only be appropriate
in rare circumstances. In the ordinary course of events, the Commissioner
would not consider such a step unless:
This conjunction of requirements means that, no matter how repeatedly or
seriously a company has breached the Act, if it demonstrates an intention
to mend its ways it will not be named at the Privacy Commissioner's initiative.
'Name and shame' is not part of this Commissioner's armoury.
* an organisation either repeatedly or very seriously breaches the Privacy
* the organisation demonstrates by its actions that it does not intend to
comply with its legal obligations; and
* all other measures have failed to change the organisation's behaviour."
The only likely way that the identities of privacy-invading companies
will be known is where complainants have the courage to go public and the
media to report them, or the complainant pushes for a formal determination
under s52. The two s52 determinations made by previous Commissioners in the
past 13 years have been published, and have identified the respondent departments,
but Information Sheet 13 is silent on that.
Even more restrictive, the reporting of identified complaints is
completely eliminated if a complaint is dealt with under an industry Privacy
Code (Part IIIA Privacy Act 1988). The Privacy (Private Sector)
Regulations 2001 set our in Schedule 1 'Prescribed standards for procedures
relating to complaints', which gives the Commissioner his instructions from
the government as to what industry codes he can and cannot approve. Part
5 'Accountability' states under 'Principle' that 'Reports of determinations
and information about complaints must be published...', but in fact only
mentions determinations. In relation to determinations it includes the initially
positive requirement in cl 5.2 that '(1) Written reports of determinations
by an independent adjudicator must ... (b) be made available to any other
interested person or body' but unfortunately then provides that '(4) A report
must not: (a) name any complainant or respondent organisation'. The 'determinations'
made by Code adjudicators are supposed to be the same as those made under
s52 (s18BB(3)(d)), so there appears to be an inconsistency between previous
practice and the Regulations. Part 5 says nothing about publication of details
of other complaints which are resolved by mediation not by a determination,
so there is no reason to assume that the Commissioner's approach to providing
de-identified summaries will be followed
The formal complaints mechanism for complaints to the NSW Privacy Commissioner
under the PIPPA 1998 (ss.45-51) has only been available since 1 July 2000.
The first Annual report on the new regime is not available on the web site,
which only contains reports of two special investigations. The NSW Act also
provides for complainants to follow an alternative route of internal review,
with a right of appeal to the NSW Administrative Decisions Tribunal (ss.52-56)
- see 9.6.2 below. The Commissioner has to be notified of internal reviews
and will presumably publish statistics on them and their outcomes in future.
The Privacy NSW website already provides
to ADT decisions.
Canada - British Columbia Commissioner
In 2000-2001 the NZ Commissioner closed 654 complaints without reaching
a final opinion, and closed 116 after reaching a final opinion (and found
49 or these of substance). (Annual Report 2000-2001).
- Contrast the Information and Privacy Commissioner, British Columbia,
a Commissioner who sees formal reporting of complaints and how they are resolved
as one of the main weapons in his armory:
There is extensive reporting of settled complaints by the New Zealand
Privacy Commissioner, by http://www.knowledge-basket.co.nz/privacy/scompf.html
summaries in his monthly 'Private Word' newsletter, and by periodic release
of collections of complaint notes.
Hong Kong Commissioner
In 1999-2000, of 303 complaints formally completed, 137 (45%) were
resolved through mediation, 13% found to be unsubstantiated on investigation,
and 24% were withdrawn. Of the 56 (18%) formally resolved, 29 were found
to involve contraventions of the Ordinance. These resulted in 21 warning
notices, requiring written undertakings to implement remedies, with only
4 resulting in enforcement notices directing remedial actions.
The HKPCO reports anonymised summaries of both complaints and enquiries
on its web site. However, there is no comprehensive reporting of cases which
have gone to the stage of formal resolution.
provides 'the Commissioner may, after completing an investigation and if
he is of the opinion that it is in the public interest to do so, publish
a report' detailing the results of the investigation, his recommendations
and comments. However, it must 'prevent the identity of any individual being
ascertained from it' (s48(3)), but this right of anonymity does not apply
to data users (s48(4)(b)), only to complainants and other 3rd party individuals.
(See Berthold & Wacks p205 for more discussion.)
Commonwealth agencies are simply bound to comply with determinations when
). See also s59 (obligations of principal officers of agencies), and s60
(compensation awarded to be an agency debt).
- [Parties names in Chinese characters] Case No DVCCJ 7812
of 1997 (District Court) - Restaurant employee claimed damages for alleged
breach of DPP 3 because his employer published his full name in a newspaper
as the contact person for the hiring of a junior chef. Judge CB Chan held
there was no breach of DPP 3 as this was directly related to the purpose
for which his employer had collected his full name, so that he could perform
one of the duties of his employment. In dicta the Court stated that, in any
event, the plaintiff had not established 'an loss which resulted to the plaintiff
as a natural consequence of the act of the defendant in inserting the plaintiff's
full name in the newspaper'. P had resigned in anger at the insertion of
his name, but 'he had a choice of not being angry' and the resignation was
his choice, not a dismissal. Nor had he shown evidence of distress flowing
from the publication, and claims that 'bad elements' might mistake him for
someone of the same name were 'far-fetched and unfounded'. Costs were awarded
The problem of enforcement of Privacy Commissioner's decisions against
other parties arises from Brandy v Human Rights and Equal Opportunity Commission
(1995) High Court (see Casenote (1995) 2 PLPR 32) where it was held that,
in relation to complaints against respondents other than the Commonwealth,
the previous system for lodging HREOC determinations (including Privacy
Act 1988 s52 determinations) in the Federal Court, whereupon they become
binding, was an invalid exercise of the judicial power. The 'quick Brandy
fix' was to revert to the old system of a de novo hearing in the Federal
Court in order to enforce a determination by a HREOC Commissioner or the
Privacy Commissioner. Unfortunately, one of the anomalies arising from that
expedient is the unfair difference in de facto appeal rights outlined below.
In most jurisdictions where data protection laws are in force, there have
been few if any significant decisions by Courts (or even by administrative
appeals tribunals) interpreting the legislation and its enforcement.
This pattern is also apparent in the Asia-Pacific region.
We should try to understand: (i) how significant this is; and (ii)
why it occurs.
There is no right of appeal against determinations by the Privacy Commissioner
in relation to complaints against agencies (IPPs) or complaints against the
private sector (NPPs). Either side can only appeal to the AAT concerning
the amount of compensation or expenses awarded by the Commissioner (agencies
only with A-G's permission) (s61).
Judicial review of the Commissioner's decisions is available, but
not a right of appeal on the merits of the complaint.
Due to a last minute amendment to the Privacy Act (Private Sector) Bill 2000
there is now a right of appeal to the Privacy Commissioner against any determination
by a Code Adjudicator (s18BI), to include a review of 'any finding, declaration,
order or direction that is included in the determination'.
Appeals against Code Adjudicators to the Privacy Commissioner
This right of appeal will reduce the appeal of industry codes in
some industry sectors.
The NSW Act, although it appears to give complainants a right of appeal to
the Administrative Appeals Tribunal, also has a defect which will frustrate
complainants. Complainants may elect whether to have a complaint about a
breach of the IPPs investigated and conciliated by the NSW Privacy Commissioner
(s45), or subject to an internal review by the agency concerned (s53). However,
the right of appeal is only against an internal review by an agency (s55),
so if a complainant is dissatisfied with the Commissioner's conciliation,
they will first have to seek an internal review before their right to appeal
to the AAT arises.
9.6.2. NSW PPIPA
The ADT has commenced publication of all
on review of internal reviews under the PPIPA by its General and Appeals
9.6.3. Victorian IPA
The Victorian Act is the only one that appears to give dissatisfied
complainants (or agencies) an unfettered right (s.37) to have the NPPs and
other provisions interpreted by the Victorian Civil and Administrative Appeals
Tribunal (VCAT) and ultimately by the Courts. There appear to be no published
VCAT cases involving the IPA.
There is a right of appeal against the Commissioner's decisions to the Administrative
Appeals Board (AAB), by either the complainant or the data user:
The AAB hears the matter ab initio.
- A data user may appeal against s50 enforcement notice (
within 14 days of notice.
- A complainant may appeal against the Commissioner's refusal to
investigate, or to continue to investigate a complaint (
To date (2002) there have been less than 20 such appeals (decisions
not yet available online). Some of the decisions (in English) are:
There is no right of appeal to a Court against an AAB decision, on the merits
of a decision.
- Kam Sea Hang Osmaan v Privacy Commissioner (2001) AAB No
29 of 2001;
- Tso Yuen Shui v Privacy Commissioner (2000) AAB No 24 of
- Lau Wai Kay Ricky v Privacy Commissioner (2000) AAB No
11 of 2000;
- Chow Shun-Yung v Privacy Commissioner (2000) AAB No 25
- Apple Daily v Privacy Commissioner (1999) AAB No 5 of 1999;
- Mou Pui Hong v Privacy Commissioner (1998) AAB No 10 of
- Chan Kuen Fei v Privacy Commissioner (1997) AAB No 4 of
However, either party to a complaint may seek judicial review of
a decision by either (i) the Commissioner or (ii) the AAB. Such judicial
review may be on the basis of either error of law or procedural deficiencies.
For example, in
Eastweek v Privacy Commissioner for Personal Data
 HKCA 137 , Eastweek sought judicial review of the Commissioner's
decision by the Court of First Instance because the decision 'was erroneous
in law or unreasonable on Wednesbury principles and had been arrived at in
breach of procedural fairness', and subsequently appealed to the Court of
Appeal. The Court of Appeal found that there was an error of law in the Commissioner's
interpretation of DPP1 (in relation to the meaning of 'personal data collection').
There are therefore two other avenues by which Courts may interpret
- Complainants may also commence Court proceedings for compensation
(s66) without first making a complaint to the Privacy Commissioner (see later).
- Interpretation of the Ordinance may arise in the course of other
proceeding; for example:
- Man Hok Pui v Man Leung Yuk Sin (1997) Suit No 1425
of 1988, District Court - Deputy Judge Saunders held that the expression
'seriously improper conduct' in s58 included contempt of Court by failure
to comply with a maintenance order. He then found that "where a person is
in breach of a Court order and another person, being entitled to the benefit
of that order, wishes to enforce that order, then, by virtue of the provisions
of s58(2) of the Data Privacy Ordinance [sic], a user is exempt form the
provisions of data protection principle 3 and may supply the information
upon appropriate request." The Housing Department of the Immigration Department
would therefore be ordered to disclose 'the address or movement record of
the other spouse', in order to enable the maintenance order to be enforced.
* Kwan Chi
On v. Hong Kong Baptist University and Another
 HKCFI 625 - DPP 3 raised in attempt to prevent disclosure of personal
data by University to a third party. (Substantive issue not discussed by
Court as decided on other grounds.)
Although it is not possible for a complainant to appeal from a determination
by the Commissioner to a Court in relation to a complaint about the Federal
IPPs or the NPPs, an injunction can be sought to restrain a breach. Section
98 of the Privacy Act 1988 allows 'the Commissioner or any other person'
(including, but not limited to, a complainant likely to be affected by the
breach) to go direct to the Federal Court or the Federal Magistrates Court
to seek an injunction to prevent a breach of the IPPs or NPPs. The injunction
power, which has never been used, allows a litigant in an appropriate case
to have an IPP or NPP interpreted by the Courts, and then pursue compensation
or another remedy from the Commissioner.
It is important to note that the injunction power applies to the
Courts have not shown an adequate appreciation that s98 is included
in the Act. For example, in Ibarcena v Templar  FCA 900, Finn
J seems to have proceeded on the mistaken assumption that 'Mr Ibarcena cannot
simply allege a breach of an Information Privacy Principle of the Privacy
Act for the purpose of enlivening this Court's jurisdiction and for the
grant of relief'. With respect, he can by seeking an injunction, at least
in relation to breaches or potential breaches where an injunction would be
Similarly, in Goldie v Commonwealth of Australia Federal Court
of Australia,  FCA 1873, French J gave an account of how complainants
could come before a Court, but omitted any mention of s98 injunctions
9.7.3. Compliance Notices
* Victorian IPA
IPA 2000 s44. 'Compliance notice'
gives the Commissioner a power not found in other Australian Acts, but which
is the basis of enforcement in the Hong Kong and UK Acts:
s44 (1) The Privacy Commissioner may serve a compliance notice on an organisation, if it appears to
him or her that--
(a) the organisation has done an act or engaged in a practice in contravention of an
Information Privacy Principle, including an act or practice that is in contravention of an
applicable code of practice; and
(b) the act or practice--
(i) constitutes a serious or flagrant contravention; or
(ii) is of a kind that has been done or engaged in by the organisation on at least 5
separate occasions within the previous 2 years.
(2) A compliance notice requires the organisation to take specified action within a specified
period for the purpose of ensuring compliance with the Information Privacy Principle or
applicable code of practice.
See above concerning the role of 'enforcement notices' in the Hong
Criminal offences are the exception rather than the rule in Australian
privacy legislation. There are the few exceptions:
9.7.4. Criminal offences
See Berthold & Wacks pgs 235-6
- NSW PPIPA s62 and s63 provide for criminal offences concerning
corrupt disclosure and use of personal information by public officials, and
offers to supply personal information disclosed unlawfully.
- Privacy Act 1988 Part IIIA credit reporting offences
- G Greenleaf
No privacy tort?
in 'Victoria's privacy Bill still sets the standard' (2000) 7 PLPR 21 -
Victorian Act precludes a breach of an IPP being a statutory tort, but does
not preclude other possibilities.
Since 1989, the Commonwealth Act has provided for a Credit Reporting Code
of Conduct, issued by the Commissioner under Part IIIA, which supplements
the prescribed standards for credit reporting in that Part, and which have
statutory effect - the Code is a disallowable instrument.
'Privacy Codes: What are they? Where are they?'
(2000) 7 PLPR 161 - This is a comprehensive overview. Key points Include:
- The different status and effect of instruments variously titled
Codes, Guidelines, Standards etc
- Arguable advantanges - different under different laws - much
more attractive where they can weaken the default standard (NSW) compared
to Cth and Victoria (no less stringent).
- The critical role of consultation
- Amendment and revocation - a possible weak link
- Nigel Waters
Rethinking information privacy -- a third way in data protection?
-  PLPR 6; (2000) 6 PLPR 121 - explains how co-regulation helps make
Australian and New Zealand privacy laws distinctive
The private sector amendments to the Commonwealth Act in 2000 provide
a potentially major role for Codes of Practice, which can both vary the Principles
and provide an alternative `first tier' dispute resolution scheme (Part IIIAA).
Any variation to the NPPs must provide, overall, at least the equivalent
of the statutory obligations. A long list of criteria which Codes must meet
to be approved by the Privacy Commissioner can be supplemented by additional
requirements in Guidelines. Draft Code Development Guidelines issued by
the Commissioner in May 2001for comment suggest a very demanding standard
of both content and process and it remains to be seen how many sectors are
prepared to go through the process. Given that the standards cannot be lower,
and that a separate complaints mechanism will come at a direct cost to the
sector concerned without avoiding the prospect of Privacy Commissioner decisions
(an appeal right was inserted at the last moment), it is difficult to see
what significant advantage a Code will bring.
Codes under Part IIIAA are not disallowable instruments.
Various Guidelines issued by the Commissioner - eg TFNs, data matching,
medicare and pharmaceutical benefits scheme - which have statutory force
- effectively customized versions of the IPPs for specific sectors or activities.
These guidelines are disallowable instruments
The Commonwealth Act has provided since 1988 for the Commissioner to waive
the application of one or more of the IPPs for one or more Commonwealth agencies,
where other public or private interests are seem to outweigh the protection
of privacy. Obtaining such a waiver, by means of a Public Interest Determination
under Part VI is a fairly complex and time-consuming process, involving community
consultation, and only 6 have been issued since 1988.
The private sector amendments to the Commonwealth Act in 2000 extend
the scope of Part VI to private sector businesses and also introduce a new
instrument - the temporary public interest determination - which can be obtained
more quickly and easily, but which is time-limited.
The NSW Act provides for Codes of Practice which can weaken the statutory
IPPs but must not impose a higher standard (PIPPA ss. 29-32)
The NSW Act also allows the NSW Privacy Commissioner to issue Directions
under s.41 which can exempt an agency from complying with one or more of
the IPPs - this is equivalent to the Commonwealth Public Interest Determinations.
- As at 3 May Privacy NSW lists 10 approved Codes and a further
8 at various stages of consideration
The Victorian Act provides for Codes of Practice which can vary the IPPs
as long as they are "no less stringent" (IPA ss.18-24).
- The Commissioner has issued a number of Directions to date, mostly
time-limited to give agencies an extension of time to apply for a Code of
There is no equivalent in the Victorian Act to the public interest
determination or direction provisions of the Commonwealth and NSW Acts
The Privacy Act 1988 was one of the first privacy laws in the world to
include provision for pro-active privacy auditing by the regulator. (There
was some previous experience under the Canadian Federal Act). The Privacy
Commissioner has the function of conducting audits of Commonwealth agencies
compliance with the IPPs (s.27(1)(h)), and has a similar function in relation
to Tax File Numbers, and due to subsequent amendments, in relation to credit
reporting and data-matching.
However, the Commissioner does not have an audit power in relation
to the private sector generally. The government opposed this in the consultations
concerning the private sector Bill.
The Privacy Commissioner has maintained a reasonably active audit
program since 1989, varying in intensity and scope with resource availability.
Details of audits conducted in both the public and private sectors are published
in the Commissioner's Annual Reports and should, at least in theory, serve
a valuable educational function in demonstrating to other agencies and organizations
what practical steps are required to satisfy the relevant principles or standards.
The Commissioner has also run seminars to disseminate audit findings more
widely, and encourages the private sector to commission audits by private
contractors independently of the Commissioner's own program, which can only
ever inspect a small proportion of the total `population'.
The Commissioner has published details of the audit process:
While the NSW Privacy Commissioner does not have an express audit or inspection
function other than in relation to complaints, his functions and powers appear
to be broad enough to allow him to conduct `pro-active' inspections if he
chose to do so. In practice, the NSW Commissioner is so poorly resourced
that there is no realistic prospect of a proactive audit or inspection role
other than in response to high profile incidents.
The Victorian Commissioner has been given a specific audit role (s.58(j)
and (g)). It remains to be seen if the Victorian Commissioner is able to
devote any resources to pro-active work - although it is understood that
the office will be significantly better resourced than in NSW.
In most jurisdictions there have been a variety of studies and reviews aimed
at assessing the privacy implications of new proposals, mainly in government
but also in the private sector. Recently, there have been attempts to formalize
and characterise Privacy Impact Assessment as a distinct tool or technique.
The NSW Act requires agencies to prepare formal Privacy Management Plans
explaining how they intend to comply with the IPPs, and outlining procedural
aspects such as processes for access requests and internal reviews (s.33
PiPPA). Agencies were required to submit initial Plans to the Privacy Commissioner
by 1 July 2000 (the same date as compliance with the IPPs became `actionable'.
In reality , many agencies left the preparation of Plans very late and many
agencies, including some major ones, did not make the deadline.
While there is no equivalent requirement in either the Commonwealth
or Victorian Acts, many agencies in both jurisdictions carried out (Cwlth)
or are undertaking (Vic) major reviews of their handling of personal information
to prepare for compliance, although these are typically not as `public' as
the NSW Plans, which the Privacy Commissioner intends to make publicly available
14 Plans were online as at 3 May
, although others are available on agencies own sites) . In NSW, agencies
are also required to report annually on their implementation of their Plans.
The federal Privacy Commissioner has encouraged Commonwealth agencies to
do the same, along the lines of the statutory requirement in the FOI Act
(s.8), but there has only been a limited take up of this valuable option.
The voluntary adoption of the National Privacy Principles by the Direct
Marketing and Insurance Industries, already discussed above under Codes,
are a form of `seal' program, and both schemes have in fact developed logos
which signatories can display as evidence of their commitment.
Privacy seal programs have been established for longer in other jurisdictions
- notably the United States. For commentary on some of these programs, see:
Main criticisms are of `self certification' - no independent assessment of
compliance, and of inadequate or non-existent complaint and enforcement mechanisms.
A new privacy seal program, by the
Australian Privacy Compliance Centre
, was launched in Australia in April 2001, as a component of a wider trust
in e-commerce initiative.
Another possible model of privacy regulation, both at the national and international
levels, is the development of consensus-based standards throught the international
standards-setting organisations (the Intenational Standards Organisation,
ISO, and its national equivalents) which normally set technical standards
such as for food hygeine, accounting practices etc.
One important question about the development of such Standards (international
or national) is whether their adoption by companies (or government departments)
can satisfy the data export requirements of the European Union's privacy Directive.
If adoption of this type of Standard can satisfy the EU requirements, then
there is less pressure on governments (such as in Australia) to legislate
for privacy protection.
The development of such standards emerged as a serious possibility
in the mid to late 1990s but has now receded.
Canada is the first country to develop a Standard for privacy. The principles
in the Canadian `Model Code' should be compared with the IPPs.
Canadian Standards Association
Model Code for the Protection of Personal Information
(unofficial copy on Roger Clarke's pages - note the useful additional links
at the end).
The content, and some of the enforcement problems of the Canadian
Standard, are criticised in Graham Greenleaf
Stopping surveillance: Beyond 'efficiency' and the OECD
3 PLPR 148
An attempt is curently underway to create an international privacy standard
through the International Standards Organisation (ISO).
Prospects for an International Standard for the Protection of Personal Information:
A Report to the Standards Council of Canada
(1997) - Bennett (who was very involved in the development of the Canadian
Standard) provides a detailed assessment of the potential value of an international
Bennet gives details of the following background to these developments:
The ISO's study group has not yet issued a report.
- In April 1996, the consumer associations' committee (COPOLCO)
of the International Organization for Standardization (ISO) recommended to
the ISO that `work be initiated on the development of an International Standard
for the protection of personal data and privacy'. COPOLCO had taken as its
starting point the work of the Canadian Standards Association.
- The General Council of ISO accepted this recommendation in September
1996 , and the 12 member Technical Management Board of ISO met in January
1997 in Geneva to consider how work would begin on this standardization effort.
`However, reservations about this initiative, especially from the representatives
from the American National Standards Institute (ANSI), had already been circulated.
The TMB decided, therefore, to refer the issue to a temporary study group...'
`An International Standard for privacy?'
(1997) 4 Privacy Law & Policy Reporter 90 summarises the international
developments up to late 1997. In it he says:
There have been several reports in the media suggesting that
the International Standards Organisation (ISO) is writing a privacy standard.
There have also been several reports suggesting that compliance with such
a standard will ensure compliance with the European Union Directive on Data
protection. These reports are inaccurate. The ISO has taken the first steps
towards consideration of the need and practicality of a standard on the protection
of personal information. That is all. The European Union has made no comment
on the relationship between the Directive and any potential standard.
In late 1999 the work of the Group was put on hold. Delegates had failed
to reach a consensus on whether the development of a Standard was worthwhile,
and the entire process was overtaken by negotiations between the EU and the
United States which eventually led to the development of the Safe Harbour
initially considered the development of an Australian Privacy Standard.
However, since 1999 Standards Australia has instead concentrated on adding
privacy requirements to specific technical standards. Examples include the
Australian Standard on Intelligent Transport Systems and the Australian Standard
on the Exchange of Client Data. The usual format is that developers will
be required to take privacy issues into account when designing systems and
the NPPs or IPPs will be provided as an appendix for `guidance'.
The practical effect may be quite important, if the IPPs/NPPs are
'built in' at the design stages of systems, products and services.
See Casenote by P Gunning (2001) 7 PLPR Issue 10 (forthcoming)