A new era for public sector privacy in NSW

Graham Greenleaf

 (For publication in Privacy Law & Policy Reporter, Vol 5 No 7, February 1999)
 

  • The Privacy Committee of one
  • An overview of the Act
  • The Information Protection Principles
  • Exemptions
  • Codes of practice
  • Standards for codes
  • Australia's first data export prohibition
  • Complaint investigation and remedies
  • Other important provisions
  • Conclusions



  •  

     Twenty-four years after the Privacy Committee Act 1975 (NSW) established the world's third permanent privacy protection body, New South Wales has new privacy legislation. The Privacy and Personal Information Protection Act 1998 heralds a new era for the protection of privacy in the New South Wales public sector - but not just yet.

    The Bill's Parliamentary progress was reported in (1998) 5 PLPR 69, 99 and 124. The Legislative Council made various amendments to strengthen considerably the Bill introduced into the Assembly (described in PLPR as a contender for 'world's worst practice' in privacy protection). Two further amendments made by the Legislative Assembly were accepted by the Legislative Council (discussed below). The Act was subsequently passed and assented to on 30 November 1998. The substantive parts of the Act have not yet been proclaimed.

    The Privacy Committee of one

    A partial proclamation together with the gazetting of the Privacy and Personal Information Protection (Interim) Regulation took effect on 1 February 1999. The effect of these measures is to repeal those parts of the Privacy Committee Act 1975 dealing with the composition and membership of the Privacy Committee, provide for the appointment of a Privacy Commissioner and Privacy Advisory Committee (under the new Act) and transfer the functions of the Privacy Committee to the Commissioner.

    Chris Puplick, the former Chairman of the Privacy Committee, was appointed as Privacy Commissioner, as the Attorney-General had previously stated would be the case. Mr Puplick will combine the office of Commissioner with his position as President of the Anti-Discrimination Board.

    It is expected that there will be a phased introduction of the remainder of the Privacy and Personal Information Protection Act 1998 to give public sector agencies sufficient time to comply with the Act's mandatory provisions. How long this will take with a NSW public sector that has already succeeded in obstructing this legislation for many years remains to be seen. This delay is likely to affect Part 2 of the Act dealing with compliance with information protection principles, Part 3 dealing with privacy codes of practice and privacy management plans, Part 5 dealing with review of conduct, with those offence provisions in Part 8 which are dependent on the introduction of Parts 2 and 3 and with the public register provisions in Part 6.

     Parts 4 and 7 and the remainder of Part 8 dealing with the operation of the Privacy Commissioner and the Privacy Advisory Committee are more likely to be proclaimed earlier to enable the Privacy Commissioner to give preliminary advice and prepare explanatory material on the coverage of the Act. The Commissioner will take over complaints lodged with the former Privacy Committee. He will continue to exercise similar research, educative and advisory powers to those of the Committee in relation to privacy issues which are not covered by the Act's mandatory provisions.

     Catherine Riordan (formerly Acting Executive Member of the Privacy Committee) and the Committee staff continue to act as staff of the committee or 'members of the Privacy Committee' under the interim regulation. Staff of the Privacy Committee are expected to transfer to the Privacy Commissioner's Office.

    In summary, the current position is:

    An overview of the Act

    The Act contains eleven Information Protection Principles (IPPs), the content of which is similar to those in the Commonwealth Privacy Act 1988, and which are similarly enforceable. The Privacy Committee Act 1975 contained no such enforceable rights. The IPPs apply to the NSW public sector, including local government and prescribed bodies which are outsourcing data services, but not to the private sector. State-owned corporations are excluded from the IPPs (after the Legislative Assembly rejected a Legislative Council amendment, and the Council capitulated).

     Codes of practice, made by Ministerial regulation and disallowable by Parliament, can modify the operation of the IPPs and provide exceptions to their operation. Complaints of breaches of the IPPs may be investigated by the new NSW Privacy Commissioner, or by internal review within an agency. The Commissioner can only mediate complaints, but complainants will be able to appeal from internal reviews to the new Administrative Decisions Tribunal. The Tribunal can award compensatory damages of up to $40,000 and can order remedial actions.

    The Information Protection Principles

    The 'information protection principles' (IPPs) in Part 2 of this Act do not follow the Commonwealth Privacy Commissioner's 'National Principles' (see (1988) 4 PLPR 165), unlike those in the proposed Victorian and Commonwealth Acts (see other articles in this issue). They are similar in many respects to those in the previous Coalition government's 1994 Bill (see (1994) 1 PLPR 41), which implemented the NSW Privacy Committee's recommended improvements to the IPPs in the Commonwealth Privacy Act 1988. However, the 1994 version has been weakened in significant ways in the Privacy and Personal Information Protection Act 1998 .

     Some notable features of the NSW IPPs are:

    On balance, the NSW IPPs are generally a somewhat stronger 'starting point' statement of information privacy rights than the Commonwealth IPPs or the Privacy Commissioner's NPPs. However, this is only until the exemptions from the IPPs are considered, at which point the IPPs become Swiss cheese with more holes than cheese.

    Exemptions

    As explained at some length in (1998) 5 PLPR 69 the Act contains numerous exemptions for agencies, unjustified during its passage and with few equivalents in the Commonwealth legislation. Many NSW agencies, particularly those with a monotonous history of privacy invasion such as the NSW Police service, have worked hard to become official 'privacy free zones', and Parliament has acquiesced. These exemptions need more analysis than is possible in this overview, particularly as many exemptions only apply to some of the IPPs.

    Codes of practice

    This is the first Australian legislation to make general provision for enforceable 'privacy codes of practice' (Part 3). Codes of practice may apply to '(a) any specified class of personal information, (b) any specified public sector agency or class of public sector agency, [or] (c) any specified activity or specified class of activity' (s29(5)), as well as to disclosures outside NSW (s29(4)).

     Codes may modify, in relation to an agency or class of agencies, the operation of both the IPPs and the public register privacy principles in Part 6 (s30). This includes exemptions from the operation of an IPP, as well as specifying the manner in which the IPP will apply (s31(2)). It seems, therefore, that a code could operate as either a full or a partial replacement for the IPPs (for an agency), depending on its terms. An agency is still required to comply with the IPPs applying to the agency when a code is made (s21), it is just that the code may modify which IPPs (or parts of them) do apply to the agency. Agencies are required to comply with codes (s32) on the same basis as they are required to comply with the IPPs (s21), and contravention of either can lead to the remedies provided by Part 5.

     Codes are made by the Minister (s31(4)) responsible for the Act (the Attorney-General), but their development can only be initiated by the Privacy Commissioner or an agency (s31(2), who may consult anyone they wish during the process. Where an agency initiates a code, it must 'consult with the Privacy Commissioner' before it submits the code to the Minister (s31(2)). The Minister must consider any submissions made by the Privacy Commissioner before making the code (ss31(3), (4)). However, the Minister can only 'make' the code as proposed by the Commissioner or the agency, he or she cannot re-write it. A code of practice is not a statutory rule, as it is not 'required by law to be approved or confirmed by the Governor' (Interpretation Act 1987 (NSW) s21). Only statutory rules may be disallowed by resolution by either house of Parliament (Interpretation Act 1987 (NSW) s41), so there is no provision for Parliamentary oversight (contrary to what was said in (1998) 5 PLPR 69). This is a considerable deficiency in the Act, and contrasts with Commonwealth Privacy Act 1988 where exemptions made by the Commissioner under Part VI are disallowable instruments.

     The opportunity for public notice of draft codes, and public input into their development, therefore depends largely on how the Privacy Commissioner interprets his role. The Commonwealth Privacy Act 1988 requires public notice and opportunities for input before exemptions to the IPPs are made under Part VI, and it would be desirable if the Commissioner attempted to provide such opportunities here. Agencies may do likewise.

     Amendments to codes must follow the same process (Privacy and Personal Information Protection Act 1998 s31(7)). While it is possible for the Minister to repeal any such codes he makes (Interpretation Act 1987 s43(2)), Privacy and Personal Information Protection Act 1998 s31(7) removes the Minister's normal power to alter them after he makes them.

     In a confusing duplication, the Privacy Commissioner also has powers, 'with the approval of the Minister', to grant agencies exemptions from the principles (s41), which power is limited by a requirement that the public interest in the exception should outweigh the public interest in upholding the principle (similar to Part V of the Commonwealth Act). It will be surprising if these redundant powers are used.

     As explained in (1998) 5 PLPR 69, the Act also contains various devices other than code-making by which the Minister can limit the operation of the Act, including the power to exempt information from the definition of 'personal information' and to extend the list of 'investigative agencies'.

     Unlike the Commonwealth Privacy Act 1988, the New Zealand Privacy Act 1993, and the Hong Kong legislation, the Minister makes the codes/exemptions, not the Privacy Commissioner. The 'worst case' end result would be that a privacy-hostile Minister would make numerous further exemptions from the Act, outside the control of the Privacy Commissioner (who might be expected to wish to keep exemptions to a justifiable minimum). The lack of explicit provisions for public input in the code process could mean that the public might not hear of an exemption until after it is made. Vigilance by public interest groups, the Commissioner and the media will be valuable, but in the absence of Parliamentary disallowance it will be difficult to prevent the Act suffering 'repeal by instalments' if agencies propose codes which weaken the Act and an Attorney-General accedes to their wishes. An Attorney-General with a willingness to protect privacy is what the Act will need most.

    Standards for codes

    If codes of practice can effectively repeal parts of the Information Protection Principles, must they be made to any standards which could have the effect of limiting this? The original Bill set no standards to which the Minister must comply when making codes, other than the general statement in Privacy and Personal Information Protection Act 1998 s29(1) which states that codes may be made 'for the purpose of protecting the privacy of individuals' (as distinct from weakening that protection). Codes cannot impose a standard higher than the IPPs (s29(7)(b)).

     Following amendments, the Act now has one weak protective standard. Codes of conduct 'must provide standards of privacy protection that operate to protect public sector agencies from any restrictions in relation to the importation of personal information into New South Wales' (s29(7)(a)). A Minister could therefore not make a code which would set a standard so low that it would expose NSW to data export restrictions by European Union countries or other countries. This opens up an interesting avenue by which Ministerial actions may be questioned by administrative law actions.

     A Legislative Council amendment provided that codes could not weaken the IPPs unless the Privacy Commissioner was satisfied that the public interest in allowing the exemption outweighed the public interest in the agency complying with the IPP. This was merely a weak version of s71 of the Commonwealth Privacy Act 1988, but the Government overturned the amendment in the Legislative Assembly on the grounds that the Privacy Commissioner should not have power to veto codes (see 5 PLPR 70 for a contrary view), and the Legislative Council then acceded to the government's wish. The obvious alternative of requiring the Minister to comply with the public interest test was ignored.

     As a result, the extent to which the Minister can undermine the IPPs through weak codes is unclear. A restrictive approach would focus on Privacy and Personal Information Protection Act 1998 s29(1), arguing that codes can only exempt an agency from an IPP where the code has the overall effect of providing better privacy protection to individuals. This approach could have much the same effect as the proposed 'public interest' exemption, but would still leave the test to be applied by the Minister, as the Government wished. This will be an interesting issue if it ever comes before the Administrative Decisions Tribunal.

    Australia's first data export prohibition

    An interesting innovation in the Act is its approach to the disclosure of personal information outside NSW. The provisions in s19(2)-(5) require quotation in full:
    (2) A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales unless: (a) a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction, or (b) the disclosure is permitted under a privacy code of practice. (3) For the purposes of subsection (2), a relevant privacy law means a law that is determined by the Privacy Commissioner, by notice published in the Gazette, to be a privacy law for the jurisdiction concerned. (4) The Privacy Commissioner is, within the year following the commencement of this section, to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales. (5) Subsection (2) does not apply: (a) until after the first anniversary of the commencement of this section, or (b) until a code referred to in subsection (4) is made, whichever is the later.
    The purpose of the provision is that NSW public sector agencies should not disclose personal information to persons or bodies outside NSW unless there are appropriate privacy laws or other forms of protection (recognised in a code of conduct) in operation in the other jurisdiction.

    A benefit of this provision (once it is in force) is that it could provide protection to NSW agencies against any data import restrictions being imposed against them. For example, a European government could otherwise refuse to disclose personal information to a NSW agency on the grounds that , no matter how strong the privacy protection in NSW might be, there was nothing to stop the NSW agency from passing on the data to an unprotected jurisdiction.

     An important factor to note is the broad scope of the prohibition. It extends to other State and Territory governments in Australia. It also applies (in theory) to Commonwealth agencies located outside NSW (although the Commonwealth Privacy Act would presumably be a 'relevant privacy law'). It also applies to any private sector organisations outside NSW.

     This amendment to the original Bill was initially proposed by the Opposition, who promptly got cold feet and tried to drop it only to find that it was introduced by the Greens and supported by the Government and other cross-benches (see Hansard, 28 October 1998). However, it may be a pyrrhic victory. Even though the Privacy Commissioner must prepare a code (s19(4)), only the Minister can make a code (s31(4)), and if no code is ever made s19(2) will never come into operation because of s19(5). It is therefore vital that the Minister make a code of conduct dealing with disclosures outside NSW, once the Commissioner prepares one.

    Complaint investigation and remedies

    As a result of the amendments by the Legislative Council, the remedies provided by the Act are now one of its strong points.

     There are two avenues by which a person who considers that a public sector agency has interfered with their privacy can seek a remedy. They may make a complaint to the Privacy Commissioner under Part 4 Division 3. Such complaints may relate to any alleged 'violation of, or interference with, the [individual's] privacy' (Privacy and Personal Information Protection Act 1998 s45(1)). These terms are undefined, and are of similar breadth to the conduct that could previously be investigated by the Privacy Committee. Breaches of the IPPs, a code of practice, or the public register principles in Part 6 are specifically included as matters the Commissioner can investigate (s45(2)). The Commissioner must attempt to resolve the complaint by conciliation (s49), and, on completion of an investigation, can only make reports and recommendations (s50). The Commissioner's complaints role under Part 4 is essentially the same as the 'privacy Ombudsman' role filled by the previous Privacy Committee.

     The second avenue is that the individual may complain under Part 5 to the agency concerned about a breach of the IPPs, a code of practice, or the public register principles in Part 6 (s52), and the agency must then conduct an internal review (s53). The agency must then notify the Privacy Commissioner, and may it request the Commissioner to undertake the internal review on the agency's behalf (for a fee) (s54). If the person is dissatisfied by the internal review, or the action taken by the agency as a result, he or she may apply to the Administrative Decisions Tribunal for a review of the conduct that was the subject of the review (s55(1)). Part 5 only applies to actions which take place after it commences (s52(3)).

    The Tribunal may decide to make any one or more of the following orders (s55(2)):

    (a) subject to subsection (3), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct, (b) an order requiring the public sector agency to restrain from any conduct or action in contravention of an information protection principle or a privacy code of practice, (c) an order requiring the performance of an information protection principle or a privacy code of practice, (d) an order requiring personal information that has been disclosed to be corrected by the public sector agency, (e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant, (f) an order requiring the public sector agency not to disclose personal information contained in a public register, (g) such ancillary orders as the Tribunal thinks appropriate.
    The Tribunal may only make an order for financial compensation if it is satisfied that 'the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency', and only in relation to conduct that occurs at least 12 months after this Division of the Act commences (s55(4)). There is therefore a '12 month's grace' period before the financial compensation provisions apply.

     The Privacy Commissioner must be notified by the Tribunal of any applications for review that it receives (s55(6)), and has a right to appear in such proceedings (s55(7)).

     If a person chooses to make a complaint to the Privacy Commissioner under Part 4, and the Commissioner investigates, this does not prevent the person from also seeking a remedy under Part 5. A Legislative Council amendment deleted an outrageous provision in the Government's Bill which would have disqualified any person whose complaint was investigated by the Commissioner from subsequently seeking an enforceable remedy from the Tribunal (see (1998) 5 PLPR 69).

    Other important provisions

    Other parts of the Act will be discussed in a subsequent article.

     Part 4 and Part 8 set out the powers and functions of the Privacy Commissioner Part 7 provides for a part-time Privacy Advisory Committee with no powers, and functions to advise the Commissioner and (if requested) the Minister.

     Part 6 (Public Registers) sets out the first set of information privacy principles applying to public registers in Australian law, and codes of practice may also modify those public register principles (s30(1)).

     Sections 62 and 63 provide for criminal offences concerning corrupt disclosure and use of personal information by public officials, and offers to supply personal information disclosed unlawfully. These provisions need to be considered in conjunction with the existing 'computer crime' provisions in the NSW Crimes Act (ss308-310).

    Conclusions

    The Privacy and Personal Information Protection Act 1998 is a reasonably strong piece of 1980's-style information privacy legislation for the less important (ie non-exempt) parts of what remains of the NSW public sector after corporatisation and privatisation.

     In the unnecessarily limited realm in which it applies, it is likely to provide some individuals with an effective and inexpensive means of obtaining redress for unjustifiable invasions of privacy. In many other important areas where State-owned corporations and State investigative agencies affect people's privacy, they will simply be told 'the Act does not apply'.

     The other down-side of this Act (as with much other privacy legislation) is that it will make it easier for successive governments to use it as a justification for extending surveillance activities, by stressing that 'it will all be done in accordance with the privacy Act' and 'the Privacy Commissioner will be consulted'. Few people in the public or in public affairs will appreciate just how limited the Act's protections are, and it will serve to assist in the extension of surveillance activities.

    The Act is available at http://www.austlii.edu.au/au/legis/nsw/consol_act/papipa1998464/

    Thanks to John Gaudin for assistance with information concerning the proclamation of sections of the Act.

    Graham Greenleaf



     
      AustLII UserMark