(For publication in Privacy
Law & Policy Reporter, Vol 5 No 7, February 1999)
Twenty-four years after the Privacy Committee Act 1975 (NSW) established the world's third permanent privacy protection body, New South Wales has new privacy legislation. The Privacy and Personal Information Protection Act 1998 heralds a new era for the protection of privacy in the New South Wales public sector - but not just yet.
The Bill's Parliamentary progress was reported in (1998) 5 PLPR 69, 99 and 124. The Legislative Council made various amendments to strengthen considerably the Bill introduced into the Assembly (described in PLPR as a contender for 'world's worst practice' in privacy protection). Two further amendments made by the Legislative Assembly were accepted by the Legislative Council (discussed below). The Act was subsequently passed and assented to on 30 November 1998. The substantive parts of the Act have not yet been proclaimed.
Chris Puplick, the former Chairman of the Privacy Committee, was appointed as Privacy Commissioner, as the Attorney-General had previously stated would be the case. Mr Puplick will combine the office of Commissioner with his position as President of the Anti-Discrimination Board.
It is expected that there will be a phased introduction of the remainder of the Privacy and Personal Information Protection Act 1998 to give public sector agencies sufficient time to comply with the Act's mandatory provisions. How long this will take with a NSW public sector that has already succeeded in obstructing this legislation for many years remains to be seen. This delay is likely to affect Part 2 of the Act dealing with compliance with information protection principles, Part 3 dealing with privacy codes of practice and privacy management plans, Part 5 dealing with review of conduct, with those offence provisions in Part 8 which are dependent on the introduction of Parts 2 and 3 and with the public register provisions in Part 6.
Parts 4 and 7 and the remainder of Part 8 dealing with the operation of the Privacy Commissioner and the Privacy Advisory Committee are more likely to be proclaimed earlier to enable the Privacy Commissioner to give preliminary advice and prepare explanatory material on the coverage of the Act. The Commissioner will take over complaints lodged with the former Privacy Committee. He will continue to exercise similar research, educative and advisory powers to those of the Committee in relation to privacy issues which are not covered by the Act's mandatory provisions.
Catherine Riordan (formerly Acting Executive Member of the Privacy Committee) and the Committee staff continue to act as staff of the committee or 'members of the Privacy Committee' under the interim regulation. Staff of the Privacy Committee are expected to transfer to the Privacy Commissioner's Office.
In summary, the current position is:
Codes of practice, made by Ministerial regulation and disallowable by Parliament, can modify the operation of the IPPs and provide exceptions to their operation. Complaints of breaches of the IPPs may be investigated by the new NSW Privacy Commissioner, or by internal review within an agency. The Commissioner can only mediate complaints, but complainants will be able to appeal from internal reviews to the new Administrative Decisions Tribunal. The Tribunal can award compensatory damages of up to $40,000 and can order remedial actions.
Some notable features of the NSW IPPs are:
Codes may modify, in relation to an agency or class of agencies, the operation of both the IPPs and the public register privacy principles in Part 6 (s30). This includes exemptions from the operation of an IPP, as well as specifying the manner in which the IPP will apply (s31(2)). It seems, therefore, that a code could operate as either a full or a partial replacement for the IPPs (for an agency), depending on its terms. An agency is still required to comply with the IPPs applying to the agency when a code is made (s21), it is just that the code may modify which IPPs (or parts of them) do apply to the agency. Agencies are required to comply with codes (s32) on the same basis as they are required to comply with the IPPs (s21), and contravention of either can lead to the remedies provided by Part 5.
Codes are made by the Minister (s31(4)) responsible for the Act (the Attorney-General), but their development can only be initiated by the Privacy Commissioner or an agency (s31(2), who may consult anyone they wish during the process. Where an agency initiates a code, it must 'consult with the Privacy Commissioner' before it submits the code to the Minister (s31(2)). The Minister must consider any submissions made by the Privacy Commissioner before making the code (ss31(3), (4)). However, the Minister can only 'make' the code as proposed by the Commissioner or the agency, he or she cannot re-write it. A code of practice is not a statutory rule, as it is not 'required by law to be approved or confirmed by the Governor' (Interpretation Act 1987 (NSW) s21). Only statutory rules may be disallowed by resolution by either house of Parliament (Interpretation Act 1987 (NSW) s41), so there is no provision for Parliamentary oversight (contrary to what was said in (1998) 5 PLPR 69). This is a considerable deficiency in the Act, and contrasts with Commonwealth Privacy Act 1988 where exemptions made by the Commissioner under Part VI are disallowable instruments.
The opportunity for public notice of draft codes, and public input into their development, therefore depends largely on how the Privacy Commissioner interprets his role. The Commonwealth Privacy Act 1988 requires public notice and opportunities for input before exemptions to the IPPs are made under Part VI, and it would be desirable if the Commissioner attempted to provide such opportunities here. Agencies may do likewise.
Amendments to codes must follow the same process (Privacy and Personal Information Protection Act 1998 s31(7)). While it is possible for the Minister to repeal any such codes he makes (Interpretation Act 1987 s43(2)), Privacy and Personal Information Protection Act 1998 s31(7) removes the Minister's normal power to alter them after he makes them.
In a confusing duplication, the Privacy Commissioner also has powers, 'with the approval of the Minister', to grant agencies exemptions from the principles (s41), which power is limited by a requirement that the public interest in the exception should outweigh the public interest in upholding the principle (similar to Part V of the Commonwealth Act). It will be surprising if these redundant powers are used.
As explained in (1998) 5 PLPR 69, the Act also contains various devices other than code-making by which the Minister can limit the operation of the Act, including the power to exempt information from the definition of 'personal information' and to extend the list of 'investigative agencies'.
Unlike the Commonwealth Privacy Act 1988, the New Zealand Privacy Act 1993, and the Hong Kong legislation, the Minister makes the codes/exemptions, not the Privacy Commissioner. The 'worst case' end result would be that a privacy-hostile Minister would make numerous further exemptions from the Act, outside the control of the Privacy Commissioner (who might be expected to wish to keep exemptions to a justifiable minimum). The lack of explicit provisions for public input in the code process could mean that the public might not hear of an exemption until after it is made. Vigilance by public interest groups, the Commissioner and the media will be valuable, but in the absence of Parliamentary disallowance it will be difficult to prevent the Act suffering 'repeal by instalments' if agencies propose codes which weaken the Act and an Attorney-General accedes to their wishes. An Attorney-General with a willingness to protect privacy is what the Act will need most.
Following amendments, the Act now has one weak protective standard. Codes of conduct 'must provide standards of privacy protection that operate to protect public sector agencies from any restrictions in relation to the importation of personal information into New South Wales' (s29(7)(a)). A Minister could therefore not make a code which would set a standard so low that it would expose NSW to data export restrictions by European Union countries or other countries. This opens up an interesting avenue by which Ministerial actions may be questioned by administrative law actions.
A Legislative Council amendment provided that codes could not weaken the IPPs unless the Privacy Commissioner was satisfied that the public interest in allowing the exemption outweighed the public interest in the agency complying with the IPP. This was merely a weak version of s71 of the Commonwealth Privacy Act 1988, but the Government overturned the amendment in the Legislative Assembly on the grounds that the Privacy Commissioner should not have power to veto codes (see 5 PLPR 70 for a contrary view), and the Legislative Council then acceded to the government's wish. The obvious alternative of requiring the Minister to comply with the public interest test was ignored.
As a result, the extent to which the Minister can undermine the IPPs through weak codes is unclear. A restrictive approach would focus on Privacy and Personal Information Protection Act 1998 s29(1), arguing that codes can only exempt an agency from an IPP where the code has the overall effect of providing better privacy protection to individuals. This approach could have much the same effect as the proposed 'public interest' exemption, but would still leave the test to be applied by the Minister, as the Government wished. This will be an interesting issue if it ever comes before the Administrative Decisions Tribunal.
(2) A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales unless: (a) a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction, or (b) the disclosure is permitted under a privacy code of practice. (3) For the purposes of subsection (2), a relevant privacy law means a law that is determined by the Privacy Commissioner, by notice published in the Gazette, to be a privacy law for the jurisdiction concerned. (4) The Privacy Commissioner is, within the year following the commencement of this section, to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales. (5) Subsection (2) does not apply: (a) until after the first anniversary of the commencement of this section, or (b) until a code referred to in subsection (4) is made, whichever is the later.The purpose of the provision is that NSW public sector agencies should not disclose personal information to persons or bodies outside NSW unless there are appropriate privacy laws or other forms of protection (recognised in a code of conduct) in operation in the other jurisdiction.
A benefit of this provision (once it is in force) is that it could provide protection to NSW agencies against any data import restrictions being imposed against them. For example, a European government could otherwise refuse to disclose personal information to a NSW agency on the grounds that , no matter how strong the privacy protection in NSW might be, there was nothing to stop the NSW agency from passing on the data to an unprotected jurisdiction.
An important factor to note is the broad scope of the prohibition. It extends to other State and Territory governments in Australia. It also applies (in theory) to Commonwealth agencies located outside NSW (although the Commonwealth Privacy Act would presumably be a 'relevant privacy law'). It also applies to any private sector organisations outside NSW.
This amendment to the original Bill was initially proposed by the Opposition, who promptly got cold feet and tried to drop it only to find that it was introduced by the Greens and supported by the Government and other cross-benches (see Hansard, 28 October 1998). However, it may be a pyrrhic victory. Even though the Privacy Commissioner must prepare a code (s19(4)), only the Minister can make a code (s31(4)), and if no code is ever made s19(2) will never come into operation because of s19(5). It is therefore vital that the Minister make a code of conduct dealing with disclosures outside NSW, once the Commissioner prepares one.
There are two avenues by which a person who considers that a public sector agency has interfered with their privacy can seek a remedy. They may make a complaint to the Privacy Commissioner under Part 4 Division 3. Such complaints may relate to any alleged 'violation of, or interference with, the [individual's] privacy' (Privacy and Personal Information Protection Act 1998 s45(1)). These terms are undefined, and are of similar breadth to the conduct that could previously be investigated by the Privacy Committee. Breaches of the IPPs, a code of practice, or the public register principles in Part 6 are specifically included as matters the Commissioner can investigate (s45(2)). The Commissioner must attempt to resolve the complaint by conciliation (s49), and, on completion of an investigation, can only make reports and recommendations (s50). The Commissioner's complaints role under Part 4 is essentially the same as the 'privacy Ombudsman' role filled by the previous Privacy Committee.
The second avenue is that the individual may complain under Part 5 to the agency concerned about a breach of the IPPs, a code of practice, or the public register principles in Part 6 (s52), and the agency must then conduct an internal review (s53). The agency must then notify the Privacy Commissioner, and may it request the Commissioner to undertake the internal review on the agency's behalf (for a fee) (s54). If the person is dissatisfied by the internal review, or the action taken by the agency as a result, he or she may apply to the Administrative Decisions Tribunal for a review of the conduct that was the subject of the review (s55(1)). Part 5 only applies to actions which take place after it commences (s52(3)).
The Tribunal may decide to make any one or more of the following orders (s55(2)):
(a) subject to subsection (3), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct, (b) an order requiring the public sector agency to restrain from any conduct or action in contravention of an information protection principle or a privacy code of practice, (c) an order requiring the performance of an information protection principle or a privacy code of practice, (d) an order requiring personal information that has been disclosed to be corrected by the public sector agency, (e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant, (f) an order requiring the public sector agency not to disclose personal information contained in a public register, (g) such ancillary orders as the Tribunal thinks appropriate.The Tribunal may only make an order for financial compensation if it is satisfied that 'the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency', and only in relation to conduct that occurs at least 12 months after this Division of the Act commences (s55(4)). There is therefore a '12 month's grace' period before the financial compensation provisions apply.
The Privacy Commissioner must be notified by the Tribunal of any applications for review that it receives (s55(6)), and has a right to appear in such proceedings (s55(7)).
If a person chooses to make a complaint to the Privacy Commissioner under Part 4, and the Commissioner investigates, this does not prevent the person from also seeking a remedy under Part 5. A Legislative Council amendment deleted an outrageous provision in the Government's Bill which would have disqualified any person whose complaint was investigated by the Commissioner from subsequently seeking an enforceable remedy from the Tribunal (see (1998) 5 PLPR 69).
Part 4 and Part 8 set out the powers and functions of the Privacy Commissioner Part 7 provides for a part-time Privacy Advisory Committee with no powers, and functions to advise the Commissioner and (if requested) the Minister.
Part 6 (Public Registers) sets out the first set of information privacy principles applying to public registers in Australian law, and codes of practice may also modify those public register principles (s30(1)).
Sections 62 and 63 provide for criminal offences concerning corrupt disclosure and use of personal information by public officials, and offers to supply personal information disclosed unlawfully. These provisions need to be considered in conjunction with the existing 'computer crime' provisions in the NSW Crimes Act (ss308-310).
In the unnecessarily limited realm in which it applies, it is likely to provide some individuals with an effective and inexpensive means of obtaining redress for unjustifiable invasions of privacy. In many other important areas where State-owned corporations and State investigative agencies affect people's privacy, they will simply be told 'the Act does not apply'.
The other down-side of this Act (as with much other privacy legislation) is that it will make it easier for successive governments to use it as a justification for extending surveillance activities, by stressing that 'it will all be done in accordance with the privacy Act' and 'the Privacy Commissioner will be consulted'. Few people in the public or in public affairs will appreciate just how limited the Act's protections are, and it will serve to assist in the extension of surveillance activities.
The Act is available at http://www.austlii.edu.au/au/legis/nsw/consol_act/papipa1998464/
Thanks to John Gaudin for assistance with information concerning the proclamation of sections of the Act.
Graham Greenleaf