Victoria's draft Data Protection Bill
- The new model Bill?
Graham Greenleaf
(For publication in Privacy
Law & Policy Reporter, Vol 5 No 7, February 1999)
Overview: Victoria delivers
The Principles : conformity at a cost
Data 'exports': a broad prohibition
Outsourcing: buck-passing with care
Scope and exemptions
Codes of practice (Part 3)
Public registers: almost covered
Complaints and remedies
Enforcement actions
No privacy tort
Other interferences with privacy
Victoria should go ahead
The Victorian Government's draft Data Protection Bill, released
in December 1998 with an accompanying Discussion Paper, has many elements
which may provide the model for information privacy protection in Australia,
both at State and Federal levels (Data Protection Bill Discussion Paper,
December 1998, Multimedia Victoria, December 1998 - available at http://www.mmv.vic.gov.au
under 'publications'). Submissions were called for by 12 February.
The draft Bill removes many of the uncertainties about the Victorian
Government's original proposals (see for example 'Will Stockdale break
the privacy impasse?' (1998) 5 PLPR 21), and generally does so by clarifying
that strong privacy protection is intended. The government has responded
to many of the submissions it received.
Overview: Victoria delivers
The proposed legislation can be summed up in a few propositions:
-
Both public sector and private sector activities in Victoria will be required
to comply with enforceable Information Privacy Principles (IPPs).
-
There will be few exceptions to the application of the IPPs, principally
exceptions for personal, family and household affairs, for journalistic
activities and for some activities of law enforcement agencies. There is
no general exemption for employment purposes.
-
The IPPs will be based closely on the Commonwealth Privacy Commissioner's
'National Privacy Principles'.
-
The government, on the recommendation of the Victorian Privacy Commissioner,
may approve a Code of Practice for an industry, or class of information
or activity.
-
A person may complain to the Victorian Privacy Commissioner about the breach
of the IPPs or a Code, but if there is a Code applying must first allow
the Code administrator the opportunity to resolve the complaint.
-
If the Commissioner cannot resolve the complaint by conciliation then the
complainant has what is in effect a right of appeal to the Victorian Civil
and Administrative Tribunal.
-
In relation to interferences with privacy which fall outside the scope
of the IPPs, the Privacy Commissioner has an 'ombudsman' role of investigation
and conciliation.
Victoria has delivered a model for genuine co-regulation, where Codes of
practice provide flexibility but both the IPPs and Codes are equally enforceable
with remedies equivalent to those in the Commonwealth
Privacy Act 1988.
While there is still room for improvement on the Victorian model, it sets
the standard around which the debate over information privacy protection
in Australia should be conducted.
The Principles : conformity at a cost
Organisations must comply with the IPPs (Data Protection Bill, s11(1)).
The IPPs, set out in Schedule 1 (s9), are based closely on the Commonwealth
Privacy Commissioner's 'National Privacy Principles', as revised in January
1999 (see the next issue of PLPR for the text). Schedule 1 is essentially
a conversion of the Commissioner's Principles into statutory language (such
as converting 'should' into 'must'). However, there are some modifications
In an effort to obtain national uniformity the Victorian Bill
is therefore based on a set of Principles which are not the product of
consensus, are more a product of horse-trading than considered reform,
and which have been criticised very strongly by privacy and consumer organisations
(see (1998) 5 PLPR 41 for details), although welcomed by participating
business organisations. The final view of privacy and consumer organisations
on the Commissioner's revised Principles will be included in the next issue
of PLPR, and more general critiques in issues to follow.
The Victorian government should reach its own view on what privacy principles
are in the public interest, and set the standard for Australia, while seeking
as much uniformity with other jurisdictions as can be achieved. As a minimum,
it should provide for a review of the IPPs by the Privacy Commissioner
after three years.
Data 'exports': a broad prohibition
IPP 9 follows the Commissioner's revised Principles in expanding the scope
of the data export restriction so that it now applies to disclosures 'to
a third party', not just those 'outside Australia'. This is significant
in that it now restricts data transfers to other States and Territories,
not just to overseas jurisdictions, as it needs to do if it is not to be
regarded as a non-tariff trade barrier. The data export restriction in
the new NSW Act also applies to exports to other States and Territories
(see article this issue).
IPP 9 needs to be clarified to ensure that it does apply to a
transfer of information within an organisation, but from Victoria to another
jurisdiction without sufficient privacy protection. As the Commissioner's
Guidance Note now says, it was intended that 'This principle would prevent
an organisation from disclosing personal information to any recipient that
is not subject to a comparable information privacy scheme, whether the
recipient is located within or outside Australia'. The problem with the
Victorian statutory formulation is that it is not supported, for purposes
of interpretation, by the Commissioner's Guidance Notes. The Bill therefore
needs to clarify that, for IPP 11, 'a third party' includes a part of the
same organisation which is located outside Victoria.
An additional clause 9.2 has been added to the Commissioner's
Principles, providing that an organisation will be deemed to comply with
its obligation to take 'reasonable steps' to provide protection in data
exports if there is a contract between the supplier and recipient of the
data which adopts the model terms for such agreements published by the
Privacy Commissioner. This is a very undesirable and unnecessary exception,
because, depending on the particular transfer (such as the jurisdiction
where the data is being transferred to), such a contract may provide no
protection, or may not provide the best protection available. It is unnecessary
to provide that such contracts will always be sufficient, and to do so
reduces the likelihood that IPP 9 will satisfy the European Union's requirements
for adequate protection against onward transfers.
Outsourcing: buck-passing with care
The Bill does not allow an organisation to avoid its responsibilities simply
by outsourcing aspects of its handling of personal information. The outsourcing
organisation remains will be deemed liable for any actions of the oursourced
service provider unless it can establish that it 'took reasonable precautions
and exercised due diligence' to avoid any breaches (s12(3)). The IPPs and
codes also apply to any outsourced service provider to the same extent
as they apply to the outsourcing organisation (s12(2)), which could lead
to some interesting jurisdictional extensions of the Act.
Scope and exemptions
The Bill provides for relatively few exceptions to its operation, including:
-
an exception for personal information used in relation to 'personal, family
or household affairs' (s4(1));
-
a number of exceptions relating to most journalistic uses of personal information
(s4(3)(a), s4(4)(c));
-
use of personal information for the purpose of compiling statistics or
carrying out research which it is intended will be published in non-identified
form (s4(3)); and
-
various exceptions for law enforcement agencies (s4(5)).
Some of these exceptions may be unnecessarily broad, and this will be covered
in a subsequent article in PLPR, but they are not extensive compared with
those in the NSW Act. Whether the range of exceptions will remain as limited
in the course of passage of the Bill will be one of the main determinants
of its success or failure.
Codes of practice (Part 3)
An organisation may seek approval of a code of practice by submitting the
code to the Privacy Commissioner (s14(1)). If the Commissioner recommends
its approval to the Governor in Council, the code is approved when gazetted
(s14(2)). It does not seem that the Commissioner can draft or amend codes,
but could of course refuse to recommend them until they are appropriately
amended. The Commissioner must keep a register of approved codes (s16).
Codes may be varied in the same manner as they are approved (s14),
and can be revoked by a similar process on the application of an individual
or organisation to the Privacy Commissioner, or on the Commissioner's own
initiative (s17).
The Commissioner must be satisfied that any proposed code (or
variation) meets two standards: (i) it must 'substantially achieve the
privacy objectives of this Act in relation to the personal information
to which the code applies', and (ii) the approval must not be 'contrary
to the public interest' (s14(3)). Before recommending approval, the Commissioner
must also consult the Federal Privacy Commissioner, may consult others,
and must allow adequate opportunity for public comment (s14(4)).
Codes may cover virtually any aspect of the Act, including both its
substance (the IPPs, public registers and data matching), and its procedural
aspects (complaint procedures, remedies and charges) (s13). However, codes
cannot supplant is the right of an individual to 'appeal' to the Privacy
Commissioner and the Tribunal under Part 4 if they are dissatisfied with
how they have been dealt with under a code, and cannot alter the remedies
available from the Tribunal. The very great flexibility that codes provide
is therefore tempered by both the standards that must be observed when
they are made, and the remedies that apply irrespective of what 'internal'
remedies the code may itself provide. It is a fair balance.
A code may modify 'any one or more' of the IPPs, by prescribing
standards that are more or less stringent than the IPPs, or even by exempting
the application of an IPP (subject to the standards the Commissioner must
apply) (s13(2)). Codes may apply to classes of information, organisations
or activities, or an 'industry, profession or calling' (s13(3)).
If a code contains requirements that are not otherwise found in an IPP,
a breach of those requirements is deemed to be a breach of an IPP (s15(b)).
Codes can therefore extend the reach of the Act at least as easily as they
can restrict it.
An approved code is intended to supplant the Act only to the extent
that it specifies (Discussion Paper). The wording of s15, taken on its
own, could mean that any code, no matter how few IPPs it covers, would
supplant all of the IPPs. However, since s13(2) specifies that a code may
modify 'any one or more' IPPs, it is clear that codes may supplant only
part of the IPPs and the IPPs and other aspects of the Act will continue
to operate to any extent that a code does not deal with them. This allowance
for 'partial codes' is very desirable, but will sometimes lead to some
difficult questions of interpretation if a code does not state precisely
which provisions of the Act it is intended to supplant. The Commissioner
can avoid these problems by careful checking of codes.
Public registers: almost covered
The Bill takes a complex approach to public registers (defined in s3).
Public sector agencies must administer public registers so far as is reasonably
practical by observing the IPPs in relation to them (and as if they contained
personal information) (s11(3)). Codes of practice can apply to public registers
(s13(5)). Insofar as they apply to public registers, IPPs and codes are
enforceable.
Complaints and remedies
Individuals may make a complaint to the Privacy Commissioner about an interference
with privacy if there is no approved code of practice applying (s18(2)(a)).
They can also make a complaint if a code does apply and they have received
a response to a complaint from the code administrator which they consider
to be inadequate, or no response (s18(2)(b)). There are a variety of grounds
on which the Commissioner can refuse to entertain a complaint (s20), but
the complainant may then require the Commissioner to refer the complaint
to the Tribunal (s20(6)). The Minister may also refer complaints raising
important public policies direct to the Tribunal (s22(1)).
The Privacy Commissioner must attempt to conciliate a complaint if he
or she thinks that successful conciliation is reasonably possible (s24).
If the parties reach agreement following conciliation, any party has 30
days following agreement to request that the agreement be put in writing
and signed by all parties and certified by the Commissioner (s27). The
agreement can then be registered with the Tribunal, and on registration
it becomes an order of the Tribunal and its terms can be enforced accordingly
(s27(5)). If the Commissioner decides it is not reasonably possible that
a complaint will be conciliated successfully, the complainant can require
it to be referred to the Tribunal (s28).
The Tribunal (the Victorian Civil and Administrative Tribunal,
VCAT) has powers to make a wide range of orders after it hears a complaint
(s34), including:
-
orders restraining the continuation of conduct which was the subject of
the complaint;
-
orders that the respondent take reasonable actions to redress loss or damage
(including injury to feelings and humiliation);
-
orders for compensation not exceeding $100,000 for loss or damage (including
injury to feelings and humiliation);
-
orders for reimbursement of the complainant reasonable expenses in connection
with the complaint.
-
orders for correction of personal information or attachment of an explanatory
statement.
These powers are substantially similar to those found in the Commonwealth
Privacy Act 1988 and the NSW Privacy and Personal Data Protection
Act 1998, except that the maximum amount of compensation is $40,000
in NSW and not limited in the Commonwealth.
A hearing by the Tribunal, and these remedies, are ultimately
available to any complainant, irrespective of whether they initially make
a complaint to a code administrator (and then to the Commissioner and then
the Tribunal); or whether their initial complaint is to the Commissioner
because no code applies, and then to the Tribunal because conciliation
fails; or whether because the Commissioner or the Minister refers the complaint
direct to the Tribunal. This is the strength of the Bill: at the end of
the day, all complainants have access to the same remedies.
The Tribunal can also make interim orders, on the application of a complainant
or the Commissioner, to prevent any party taking actions which would prejudice
conciliation or any order the Tribunal might subsequently make (s30).
Enforcement actions
If an organisation failed to comply with a Tribunal order under s34 restraining
the continuation of conduct which was the subject of a complaint, this
would be contempt of the Tribunal.
Criminal penalties can arise if the Commissioner considers that an organisation
has breached the IPPs (or a code) and the breach 'constitutes a serious
or flagrant contravention' (not defined further) or is not so serious but
is repetitive (defined as 'engaged in ... on at least 5 separate occasions
within the previous two years') (s35). The Commissioner can issue a 'compliance
notice' either on his own initiative or on an application by a complainant
(s35(3)). In such cases the Commissioner has wide powers of investigation
(ss36-38). It is an indictable offence for an organisation not to comply
with a compliance notice (s39), and there is a right to seek a review of
the Commissioner's decision by the Tribunal.
Other than this, a breach of the Act does not create any criminal
liability (s6(2)).
No privacy tort
'Nothing in this Act ... gives rise to, or can be taken into account in,
any civil cause of action' (s6(1)(a)). So, for example, a disclosure in
breach of the Act would not in itself constitute a statutory tort, nor
could IPP 2 be taken as constituting 'circumstances of confidence' for
the purposes of an action for breach of confidence. However, this provision
might not apply to a Code of Practice (since it is not 'in this Act'),
but nor should it, since a code involves an organisation holding out what
its practices will be.
Other interferences with privacy
In relation to any interferences with privacy which fall outside the scope
of the IPPs, the Privacy Commissioner will have an 'ombudsman' role of
investigation and conciliation (s49(g)). This role is equivalent to that
which has been exercised by the NSW Privacy Committee since 1975, and is
now exercised by the new NSW Privacy Commissioner. In Australia's two largest
jurisdictions, it will therefore be possible to seek investigation and
conciliation of any privacy issue. This may become an important and valuable
element of 'the Australian model'.
Victoria should go ahead
The Victorian Government has produced a well-balanced privacy Bill which
should be enacted as quickly as possible. The Discussion Paper says that
it scheduled for introduction and passage in the Autumn 1999 Parliamentary
sittings. It can apply immediately to Victoria's public sector agencies.
The Victorian Government should stick to its promise to apply the legislation
to the private sector if the Commonwealth fails to act, and it should do
so if the Commonwealth takes an approach that falls unacceptably short
of Victoria's benchmark. A deadline of 1 January 2000 would be a suitable
date for Victoria's legislation to have full force, and quite sufficient
time for the Commonwealth to act.
Graham Greenleaf (General Editor)