|[Home] [Help] [Databases] [World Law] [Feedback]|
Privacy Law and Policy Reporter
July 1 2000 was a major milestone in the implementation of the NSW Privacy and Personal Information Protection Act 1998. From 1 July, agencies are liable for breaches of the Information Protection Principles (IPPs), or of any approved codes of Practice which vary the IPPs. Agencies are also supposed to have in place a Privacy Management Plan detailing how they intend to comply with the Act.
Despite a last minute flurry of activity, many agencies had not completed their management plans by the deadline, and Privacy NSW appears to be exercising discretion in encouraging the completion of the remaining plans as soon as possible. It is not yet clear how the existence of plans will be publicised — other than by the agencies themselves in response to requests under IPP 6 and in their annual reports. It would clearly be useful if Privacy NSW was to publish on its web site a list of the completed Management Plans with contact details (and direct links if possible).
Codes of practice, varying the IPPs, can either be prepared by agencies or by the Privacy Commissioner. In June, the Privacy NSW website only listed one draft code — a generic code on research uses of agency records. As at 19 July, the site lists nine codes as having been approved by the Minister, covering health, police, local government, the Legal Aid Commission, the Department of Fair Trading, Bureau of Crime statistics, workforce profiling, the Director of Public Prosecutions and law enforcement and investigative agency access to public registers. A further nine codes are listed as submitted, proposed or released for consultation. Most of the approved or draft codes are not yet available online, although Privacy NSW intends to post them as soon as practicable (the workforce profiling code has apparently been on the Premier’s Department’s website since 1999). The approved codes have apparently been gazetted, although this is only available on paper, at a cost.
The Act provides for such consultation on codes as the Commissioner or agency thinks appropriate (s 31). It would seem that neither the agencies concerned nor the Commissioner have seen much need for consultation, given that most privacy and consumer groups appear unaware of the nine approved codes. The website also shows that the Commissioner has issued six temporary directions under s 41 pending the finalisation of some codes. As at 19 July, only two of these directions were provided in full (exemptions for investigative purposes — valid until 30 July, and transfers between agencies — valid until 30 September). The Commissioner is required to apply a public interest test before making directions, and it is difficult to see how he can have done so without some consultation. Given that the Act itself is already riddled with exemptions and exceptions, it is very disappointing that the Commissioner has not taken a firmer stand against the need for further concessions.
The Privacy NSW response to these criticisms is that the sheer logistics of handling agency requests for exemption in the months prior to 1 July prevented any widespread public consultation, although they point out that their guidelines for code preparation emphasise the importance of agencies consulting their stakeholders. It has clearly been felt necessary to avoid any significant disruption to agency functions, which may well have happened if the Commissioner had not been flexible — until now many state instrumentalities have not confronted the need to produce explicit legal authorisation for their information processing activities, and some appear to be having difficulty in doing so.
It is becoming increasingly clear that the way that legislation works in NSW is somewhat different to how the Commonwealth works and probably to most people’s expectations. Not only does the government retain control over when to proclaim and commence parts of legislation (many NSW laws remain in limbo years after passage), but some agencies seem to regard the privacy law as a nuisance to be circumvented rather than as a new standard with which they must comply.
Given that agencies have had more than 18 months notice of the new requirements, it is very disappointing that any significant compliance problems were not identified and resolved much earlier. Faced with a sudden rush of claims for exemption — no doubt accompanied by dire predictions of the effect of denying them — it is perhaps unsurprising that the Privacy Commissioner, with his limited resources, has not felt able to resist.
It is understood that Privacy NSW has managed to negotiate significant limitations in the ambit claims presented by some agencies, and that on the more sensitive exemptions — such as those concerning investigative functions and inter-agency transfers — more time has been bought by the issuing of temporary directions. However, there is not much point in buying time if it is not used to ensure a wider public debate, and for this to happen, the draft codes and business case to support them need to be made public and interest groups notified.
Most Privacy Commissioners continually make the mistake of overestimating their power and influence ‘behind the closed doors’ of the bureaucracy. Given the NSW Commissioner’s general ‘media savvy’ and good track record on dealing with such sensitive issues as DNA testing and Olympic security, it is surprising that he appears to be falling into this trap.
The Privacy Commissioner appears not to have seen the value of enlisting privacy and consumer groups to help defend the integrity of the law — Commonwealth experience has shown that it strengthens a Commissioner’s hand considerably, when in negotiation with agencies, to be able to point to advocacy groups’ concerns and the potential political pressure they can bring to bear.
The number of additional exemptions granted and under discussion, without any public debate, detracts from the significance of the 1 July milestone. It remains to be seen if the Commissioner can recover from this disappointing start to the long awaited introduction of enforceable privacy law in NSW.
Nigel Waters, Associate Editor.