NSW to scrap Privacy Commissioner, 
reduce privacy protection

Graham Greenleaf * and Nigel Waters'[*]*

5 November 2003

 (for publication in (2003) 10(6) Privacy Law & Policy Reporter, LexisNexis Australia)


 


  • Ombudsman investigating the private sector?
  • Privacy advocate and Ombudsman: an odd couple
  • Will 'the advocacy of privacy ... sink without trace' ?
  • An unprecedented, inappropriate model
  • Strengthening Ministers' powers to exempt
  • Oversight changes
  • A better approach

  •  


    The New South Wales government has moved to transfer the functions of the NSW Privacy Commissioner to the Ombudsman. It is an unprecedented model for privacy protection, and runs the risk of constituting a significant diminution of privacy protection in NSW.

     The NSW Attorney General (Mr Debus) tabled the Privacy and Personal Information Protection Amendment Bill 2003 on 17 October 2003, and it passed the lower house against Opposition objection on 29 October. Its fate in the Legislative Council is uncertain.

     The main provisions of the Bill transfer to the NSW Ombudsman most of the Privacy Commissioner's functions under the Privacy and Personal Information Protection Act 1998 (PPIPA), the Health Records and Information Privacy Act 2002 (HRIPA) and other legislation. Some significant exceptions concerning exemption-making powers, and some minor ones concerning complaints, are noted below. The government states that the resources of Privacy NSW will also be transferred, although it remains to be seen if both the equivalent funds and the experienced staff go to the Ombudsman in their entirety.

    The Ombudsman, Mr Barbour, can be expected to be an effective ombudsman in resolving privacy complaints against government agencies. However, as we detail in this article, when we consider all of the roles of a Privacy Commissioner, some are not a comfortable fit for an ombudsman. An Ombudsman determined to be a privacy advocate might make it work effectively, but the risks for the effective continuation of privacy protection in NSW are significant.

    Ombudsman investigating the private sector?

    In relation to the investigation of privacy complaints against NSW government agencies, the transfer of functions to the Ombudsman may well be effective. The NSW Privacy Commissioner only has a function of mediating in complaints, with any determinations left to the NSW Administrative Decisions Tribunal. This is consistent with the Ombudsman's traditional role of investigation and recommendation in relation to public authorities.

     However, the NSW Privacy Commissioner may investigate privacy interferences by private sector bodies[1], including on his own motion, and make recommendations[2]. This function of the Privacy Commissioner to investigate any privacy interference by any person was inherited from the former NSW Privacy Committee. It has continued to be exercised by Privacy NSW despite the Commonwealth private sector privacy legislation. Because the Commonwealth legislation has so many exceptions (including employment issues, and small businesses with turnover under $3M) , and only applies to breaches of the NPPs in any event[3], this power of the NSW Privacy Commissioner continues to be of importance, particularly in relation to clubs and other NGOs under the $3M threshold, and surveillance activities..

     The HRIPA goes further, imposing a set of health privacy principles on all private sector health service providers[4].

     These private sector responsibiliteis do not fit comfortably with the Ombudsman's role which is normally limited to investigating public authorities. It is difficult to believe that the Ombudsman will exercise these functions with any enthusiasm, or ever on his own motion, and easy to see that it could confuse public perceptions of his office. It is also hard to imagine any but the most astute members of the public ever thinking of complaining to the NSW Ombudsman about the privacy practices of private sector bodies.

     If this role of the Privacy Commissioner is lost in practice (though transferred in theory), privacy protection in NSW is diminished.

    Privacy advocate and Ombudsman: an odd couple

    In similar vein, an equally important statutory role of the NSW Privacy Commissioner is what can be described as his role as a privacy advocate. These statutory functions, which are being transferred to the Ombudsman[5], are set out in the following parts of s36(1):

     "(f) to conduct research, and collect and collate information, about any matter relating to the protection of personal information and the privacy of individuals,

    (g) to provide advice on matters relating to the protection of personal information and the privacy of individuals,

    (h) to make public statements about any matter relating to the privacy of individuals generally,

    (i) to conduct education programs, and to disseminate information, for the purpose of promoting the protection of the privacy of individuals,

    (j) to prepare and publish reports and recommendations about any matter (including developments in technology) that concerns the need for, or the desirability of, legislative, administrative or other action in the interest of the privacy of individuals,

    (k) to receive, investigate and conciliate complaints about privacy related matters (including conduct to which Part 5 applies),

    (l) to conduct such inquiries, and make such investigations, into privacy related matters as the Privacy Commissioner thinks appropriate. " [to be amended to 'the Ombudsman']

     The NSW Privacy Commissioner, in common with Commissioners in other jurisdictions in Australia and overseas, therefore has an important role of keeping abreast of technological changes and social practices affecting privacy, and of making public statements and even recommending legislative initiatives to deal with them. As with complaints, these advocacy functions cover private sector activities as well as the public sector.

    Will 'the advocacy of privacy ... sink without trace' ?

    Because new government proposals are the major source of new interferences with privacy that any Privacy Commissioner must deal with, a Commissioner must regularly question government policy, not just government administration. It is an uncomfortable role, but one of a Commissioner's essential tasks. The former NSW Privacy Commissioner and his staff carried out this role effectively.

     This role as a privacy advocate does not sit comfortably with the office of Ombudsman. The Ombudsman has few similar functions, perhaps the closest being the obligation to keep administrative systems for child protection under scrutiny[6].

    In the debate on this Bill, Shadow Attorney-General Tink said[7] that he was 'very concerned that the advocacy of privacy will ... sink without trace. ', despite his respect for the Ombudsman. 'Privacy needs advocacy; it must be pushed; it must be pressed; it needs a champion', he said.

    If the Ombudsman is not a pro-active privacy advocate, willing to criticise government proposals where necessary, and identified by the public as a source of leadership on privacy policy, privacy protection in NSW will be severely diminished.

     A disturbing aspect of the Bill is that it does not make the Ombudsman also the Privacy Commissioner: instead it extinguishes all reference to their being an office by that name. The symbolic significance of that should not be underestimated. The name 'Privacy Commissioner' at least creates expectations, but no-one expects an Ombudsman to pursue general advances in privacy protection.

    Three other changes reinforce the risk that privacy may disappear as a separately identified issue in NSW.

     There will no longer be a separate Annual Report relating to privacy issues[8], and the Ombudsman is not required by the Bill to report separately on privacy issues. It is therefore possible that privacy issues will simply be subsumed in the general wash of issues of public administration.

     The Ombudsman will have power to delegate his functions under the PPIPA[9] but there is no indication in the Parliamentary debates, or requirement in the Bill, that there be any one officer or section of the Ombudsman's office who would be responsible for privacy issues.

     The Ombudsman is allowed to deal with a PPIPA complaint under the Ombudsman Act[10]. This means that some privacy complaints may not be addressed primarily as breaches of the IPPs, but instead as general maladministration. If any identifiable statistics will be kept on PPIPA complaints (which the Bill does not require), they will therefore not even be comprehensive of privacy issues. This will make comparisons with other jurisdictions very difficult, if possible at all.

    Other writers have seen the absorption of Privacy NSW as part of a more general pattern in NSW. Adele Horin claims[11] '[Premier] Carr has worked assiduously to snuff out sources of bad news. To this end, he is bundling every independent watchdog agency which caused the slightest hint of trouble to his Government into the NSW Ombudsman's office.' She refers to the Privacy Commissioner, the Inspector-General of Prisons, the Child Death Review team and the Community Services Commission as being 'swallowed up by the monster agency.'

    An unprecedented, inappropriate model

    The government's stated justification for the change[12] is that it makes sense to integrate responsibility for privacy with freedom of information and a few other human rights and privacy-related functions already performed by the NSW Ombudsman[13]. It also implies there is some precedent in the integration of privacy and FOI regulation in the UK, Canadian provinces, and the Northern Territory, and similar proposals in WA and Tasmania. The Attorney-General claims 'We are introducing an arrangement that has already been considered and adopted in a number of comparable jurisdictions around the world'[14].

     This is a furphy, because none of the bodies in any of the jurisdictions referred to have responsibilities for significant areas other than privacy and FOI. None of them has the diverse and distracting range of responsibilities of the NSW Ombudsman. None of them are Ombudsmen, they are all specialist 'information commissioners'. In some cases (the Canadian provinces) they have adjudicative functions as well as conciliatory functions: definitely not-Ombudsmen.

    If the NSW government was proposing an office of Information Commissioner, this argument might make some sense, but they are not.

    The truth is the reverse: there are no precedents for absorbing the role of Privacy Commissioner into the office of Ombudsman, because the two roles are so dissimilar that it is an inappropriate model.

    Strengthening Ministers' powers to exempt

    A major deficiency of the PPIPA has been the extent to which exemptions from various aspects of the Bill's operation remain under political control[15].

     The Bill make a bad situation worse, by giving the relevant Ministers the following functions currently performed by the Privacy Commissioner:

    The Ministers will now have the statutory responsibility to exercise each of these functions, but must first consult the Ombudsman. In relation to the first two functions, the relevant Minister will also have a statutory obligation, before granting exemptions from the Acts, to be satisfied that the public interest in compliance with an information protection principle or a privacy code is outweighed by the public interest in the exemption being made. The Commissioner currently has the same obligation.

     These changes are all considered by the Government to be 'consistent with the role of the Ombudsman to recommend, rather than direct, a course of action', and that the current powers would be inconsistent with the Ombudsman's independence as they require Ministerial consent (apparently this was not a problem with the Privacy Commissioner).

    The NSW Parliament's bipartisan Legislation Review Committee has raised[18] the obvious dangers in giving the exemption powers to a Minister, and referred to Parliament the question of 'whether these amendments unduly trespass on individual rights':

    " The amendments have the effect of conferring the power to exempt on the Minister alone. This limits the scope of protection afforded under the legislation. The Minister will also have to weigh the two competing public interests, compliance with information protection principles, and the particular public interest in giving the exemption. ... The problem inherent in this proposal is that any public interest that competes with the "right to privacy" ought to be calculated on a completely disinterested basis. " " Ministerial control over what until now has been controlled by an independent statutory body raises the possibility of political considerations entering into the process of granting temporary exemptions. ... In addition, granting the Minister sole power to grant exemptions from compliance with these Acts may raise a conflict of interest. Given that the government is the largest collector and holder of personal information, the potential for such a conflict to arise is real. "

    Oversight changes

    The Privacy Advisory Committee is to be abolished[19] on the ostensible basis that 'oversight of the exercise of privacy functions' will now be provided by the Parliamentary Committee on the Ombudsman[20]. This is a non-sequitur, as the Privacy Advisory Committee only advised the Commissioner, and did not have an oversight function. Nevertheless, its loss is not significant, and oversight by the Parliamentary Committee on the Ombudsman might well be valuable.

     The review of the Act that must be carried out by the Minister under s75, already due to commence (November 2003) is to be postponed by one year[21]. This is said to give the Ombudsman time to absorb the Privacy role and make an informed contribution to the review[22]. The review will now expressly exclude review of individual complaint cases to avoid any suggestion of interference with that function of the Ombudsman.

     The Privacy Commissioner's role in conducting internal reviews on an agency's behalf, which has never been exercised, is removed and not given the Ombudsman[23]. However, the Ombudsman will still be required to be informed about progress of internal reviews, and retain the right to make submissions[24], so oversight of internal reviews is retained to a significant extent.

    A better approach

    We greeted the birth of the Privacy and Personal Information Protection Act 1998 rather half-heartedly[25], but since then, within its limited scope, the available evidence is that it has functioned reasonably well though on too limited resources (which have been modestly improved in 2003). The office of Privacy Commissioner was involved in controversy. Former Privacy Commissioner Chris Puplick aroused political enmity through his pursuit of privacy complaints against government ministers. This was part of his function, but may have contributed to the Government's decision that they would prefer to be rid of the office. Commissioner Puplick also resigned following criticisms in a report by the Ombudsman that related to his conduct as Privacy Commissioner, and the Ombudsman has recommended the separation of the offices of Privacy Commissioner and Chair of the Anti-Discrimination Board.

    It has always been a deficiency that NSW has had a half-time Privacy Commissioner, and we criticised it before the office was created[26], but this transfer of powers to the Ombudsman offers only a 'no-time' Privacy Commissioner, an Ombudsman with a myriad other responsibilities and priorities. While complaints should be investigated and conciliated well by the Ombudsman's office (at least in relation to the public sector), it is certainly questionable whether the Ombudsman will energetically and effectively carry out the advocacy functions of Privacy Commissioner, or will do so without this placing strains on his position as Ombudsman.

    The Attorney-General argues that the Bill will strengthen privacy protection:

    "It gives privacy protection to a large and powerful organisation, one that has never hesitated to undertake searing investigations into government agencies and to produce critical reports. If the Government really wished to emasculate privacy ... it would leave the small band of privacy staff just where they are: isolated, with an acting leader, subject to endless reviews and committee meetings. That would be the best way to ensure that nothing happened in privacy advocacy."
    The current structure of Privacy NSW is not sacrosanct, and there may be a better institutional structure for privacy protection in NSW than a 'stand-alone' Privacy Commissioner's office. However, as this paper has discussed, there are many reasons to be sceptical of the Government's preferred solution. Some of them could be overcome by an Ombudsman determined to effectively carry out all the functions of the Privacy Commissioner, but inherent problems will remain.

     A better answer would be for the Government to scrap this Bill, appoint a new full--time Privacy Commissioner (who is not also head of the ADB) with a limited term of office, and commence an open and consultative review of the current Act (as the current Act requires) to consider the best long-term structure for privacy protection in NSW. A separate Information Commissioner combining privacy and FOI responsibilities is one model which has been adopted successfully in Australia and overseas and deserves careful consideration here.

     There is no crisis here that has to be solved forthwith. This Bill should be rejected.


    * Professor of Law, University of New South Wales and Co-Director, Baker & McKenzie Cyberspace Law and Policy Centre <g.greenleaf@unsw.edu.au>

    [**] Consultant in fair information practices and former deputy Federal Privacy Commissioner; Research Associate, Baker & McKenzie Cyberspace Law and Policy Centre <nigelwaters@primus.com.au>

    [1] PPIPA 45(1) provides that a 'complaint may be made to (or by) the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual'. The term 'privacy' is undefined and does not only refer only to breaches of the Information Protection Principles in Part 2 of the Act.

    [2] PPIPA s50

    [3] The Federal Privacy Commissioner received 2,530 enuiries in 2002/3 concerning privacy matters exempt from the Federal Act: Annual Report 2002-03

    [4] HRIPA s11(1) 'This Act applies to every organisation that is a health service provider or that collects, holds or

     uses health information.'; 'organisation' includes a 'private sector person.' (s4)

    [5] Amendment Bill Schedule 1 [11]

    [6] Ombudsman Act 1974, s25B

    [7] NSW Legislative Assembly Hansard, 29 October 2003.

    [8] Amendment Bill Schedule 1 [16] repeals s44 requiring a Privacy Commissioner's Annual Report

    [9] Ombudsman Act 1974 s10; the delegation power in s44 PPIPA will be repealed by the Amendment Bill Schedule 1 [16]

    [10] Amendment Bill Schedule 1[17]

    [11] Adele Horin 'Another tough watchdog muzzled' Sydney Morning Herald November 1 2003

    [12] Mr Guadry , Second Reading Speech, 17 October 2003

    [13] One cited is under the Telecommunications (Interception) (New South Wales) Act

    [14] NSW Legislative Assembly Hansard, 29 October 2003.

    [15] See G Greenleaf A new era for public sector privacy in NSW (1999) 5 PLPR 130 for details.

    [16] Amendment Bill Schedule 1[13]

    [17] Amendment Bill Schedule 1[3]

    [18] Legislation Review Committee Legislation Review Digest No 4 of 2003, 27 October 2003, pgs 20-21

    [19] Amendment Bill Schedule 1[20]

    [20] Second Reading Speech

    [21] Amendment Bill Schedule 1[21]

    [22] Second Reading Speech

    [23] Amendment Bill Schedule 1[19], repealing s54(3)-(5)

    [24] PPIPA s54(1)-(2)

    [25] G Greenleaf A new era for public sector privacy in NSW (1999) 5 PLPR 130 described it as 'a reasonably strong piece of 1980's-style information privacy legislation for the less important (ie non-exempt) parts of what remains of the NSW public sector after corporatisation and privatisation. In the unnecessarily limited realm in which it applies, it is likely to provide some individuals with an effective and inexpensive means of obtaining redress for unjustifiable invasions of privacy.'

    [26] G Greenleaf 'Revolutionary' NSW Bill to set the agenda' (1996) 3 PLPR 17