5 November 2003
(for publication in (2003) 10(6) Privacy Law & Policy Reporter, LexisNexis Australia)
Ombudsman investigating the private sector? Privacy advocate and Ombudsman: an odd couple Will 'the advocacy of privacy ... sink without trace' ? An unprecedented, inappropriate model Strengthening Ministers' powers to exempt Oversight changes A better approach
The New South Wales government has moved to transfer the functions of the NSW Privacy Commissioner to the Ombudsman. It is an unprecedented model for privacy protection, and runs the risk of constituting a significant diminution of privacy protection in NSW.
The NSW Attorney General (Mr Debus) tabled the Privacy and Personal Information Protection Amendment Bill 2003 on 17 October 2003, and it passed the lower house against Opposition objection on 29 October. Its fate in the Legislative Council is uncertain.
The main provisions of the Bill transfer to the NSW Ombudsman most of the Privacy Commissioner's functions under the Privacy and Personal Information Protection Act 1998 (PPIPA), the Health Records and Information Privacy Act 2002 (HRIPA) and other legislation. Some significant exceptions concerning exemption-making powers, and some minor ones concerning complaints, are noted below. The government states that the resources of Privacy NSW will also be transferred, although it remains to be seen if both the equivalent funds and the experienced staff go to the Ombudsman in their entirety.
The Ombudsman, Mr Barbour, can be expected to be an effective ombudsman in resolving privacy complaints against government agencies. However, as we detail in this article, when we consider all of the roles of a Privacy Commissioner, some are not a comfortable fit for an ombudsman. An Ombudsman determined to be a privacy advocate might make it work effectively, but the risks for the effective continuation of privacy protection in NSW are significant.
However, the NSW Privacy Commissioner may investigate privacy interferences by private sector bodies[1], including on his own motion, and make recommendations[2]. This function of the Privacy Commissioner to investigate any privacy interference by any person was inherited from the former NSW Privacy Committee. It has continued to be exercised by Privacy NSW despite the Commonwealth private sector privacy legislation. Because the Commonwealth legislation has so many exceptions (including employment issues, and small businesses with turnover under $3M) , and only applies to breaches of the NPPs in any event[3], this power of the NSW Privacy Commissioner continues to be of importance, particularly in relation to clubs and other NGOs under the $3M threshold, and surveillance activities..
The HRIPA goes further, imposing a set of health privacy principles on all private sector health service providers[4].
These private sector responsibiliteis do not fit comfortably with the Ombudsman's role which is normally limited to investigating public authorities. It is difficult to believe that the Ombudsman will exercise these functions with any enthusiasm, or ever on his own motion, and easy to see that it could confuse public perceptions of his office. It is also hard to imagine any but the most astute members of the public ever thinking of complaining to the NSW Ombudsman about the privacy practices of private sector bodies.
If this role of the Privacy Commissioner is lost in practice (though transferred in theory), privacy protection in NSW is diminished.
"(f) to conduct research, and collect and collate information, about any matter relating to the protection of personal information and the privacy of individuals,
(g) to provide advice on matters relating to the protection of personal information and the privacy of individuals,
(h) to make public statements about any matter relating to the privacy of individuals generally,
(i) to conduct education programs, and to disseminate information, for the purpose of promoting the protection of the privacy of individuals,
(j) to prepare and publish reports and recommendations about any matter (including developments in technology) that concerns the need for, or the desirability of, legislative, administrative or other action in the interest of the privacy of individuals,
(k) to receive, investigate and conciliate complaints about privacy related matters (including conduct to which Part 5 applies),
(l) to conduct such inquiries, and make such investigations, into privacy related matters as the Privacy Commissioner thinks appropriate. " [to be amended to 'the Ombudsman']
The NSW Privacy Commissioner, in common with Commissioners in other jurisdictions in Australia and overseas, therefore has an important role of keeping abreast of technological changes and social practices affecting privacy, and of making public statements and even recommending legislative initiatives to deal with them. As with complaints, these advocacy functions cover private sector activities as well as the public sector.
This role as a privacy advocate does not sit comfortably with the office of Ombudsman. The Ombudsman has few similar functions, perhaps the closest being the obligation to keep administrative systems for child protection under scrutiny[6].
In the debate on this Bill, Shadow Attorney-General Tink said[7] that he was 'very concerned that the advocacy of privacy will ... sink without trace. ', despite his respect for the Ombudsman. 'Privacy needs advocacy; it must be pushed; it must be pressed; it needs a champion', he said.
If the Ombudsman is not a pro-active privacy advocate, willing to criticise government proposals where necessary, and identified by the public as a source of leadership on privacy policy, privacy protection in NSW will be severely diminished.
A disturbing aspect of the Bill is that it does not make the Ombudsman also the Privacy Commissioner: instead it extinguishes all reference to their being an office by that name. The symbolic significance of that should not be underestimated. The name 'Privacy Commissioner' at least creates expectations, but no-one expects an Ombudsman to pursue general advances in privacy protection.
Three other changes reinforce the risk that privacy may disappear as a separately identified issue in NSW.
There will no longer be a separate Annual Report relating to privacy issues[8], and the Ombudsman is not required by the Bill to report separately on privacy issues. It is therefore possible that privacy issues will simply be subsumed in the general wash of issues of public administration.
The Ombudsman will have power to delegate his functions under the PPIPA[9] but there is no indication in the Parliamentary debates, or requirement in the Bill, that there be any one officer or section of the Ombudsman's office who would be responsible for privacy issues.
The Ombudsman is allowed to deal with a PPIPA complaint under the Ombudsman Act[10]. This means that some privacy complaints may not be addressed primarily as breaches of the IPPs, but instead as general maladministration. If any identifiable statistics will be kept on PPIPA complaints (which the Bill does not require), they will therefore not even be comprehensive of privacy issues. This will make comparisons with other jurisdictions very difficult, if possible at all.
Other writers have seen the absorption of Privacy NSW as part of a more general pattern in NSW. Adele Horin claims[11] '[Premier] Carr has worked assiduously to snuff out sources of bad news. To this end, he is bundling every independent watchdog agency which caused the slightest hint of trouble to his Government into the NSW Ombudsman's office.' She refers to the Privacy Commissioner, the Inspector-General of Prisons, the Child Death Review team and the Community Services Commission as being 'swallowed up by the monster agency.'
This is a furphy, because none of the bodies in any of the jurisdictions referred to have responsibilities for significant areas other than privacy and FOI. None of them has the diverse and distracting range of responsibilities of the NSW Ombudsman. None of them are Ombudsmen, they are all specialist 'information commissioners'. In some cases (the Canadian provinces) they have adjudicative functions as well as conciliatory functions: definitely not-Ombudsmen.
If the NSW government was proposing an office of Information Commissioner, this argument might make some sense, but they are not.
The truth is the reverse: there are no precedents for absorbing the role of Privacy Commissioner into the office of Ombudsman, because the two roles are so dissimilar that it is an inappropriate model.
The Bill make a bad situation worse, by giving the relevant Ministers the following functions currently performed by the Privacy Commissioner:
These changes are all considered by the Government to be 'consistent with the role of the Ombudsman to recommend, rather than direct, a course of action', and that the current powers would be inconsistent with the Ombudsman's independence as they require Ministerial consent (apparently this was not a problem with the Privacy Commissioner).
The NSW Parliament's bipartisan Legislation Review Committee has raised[18] the obvious dangers in giving the exemption powers to a Minister, and referred to Parliament the question of 'whether these amendments unduly trespass on individual rights':
" The amendments have the effect of conferring the power to exempt on the Minister alone. This limits the scope of protection afforded under the legislation. The Minister will also have to weigh the two competing public interests, compliance with information protection principles, and the particular public interest in giving the exemption. ... The problem inherent in this proposal is that any public interest that competes with the "right to privacy" ought to be calculated on a completely disinterested basis. " " Ministerial control over what until now has been controlled by an independent statutory body raises the possibility of political considerations entering into the process of granting temporary exemptions. ... In addition, granting the Minister sole power to grant exemptions from compliance with these Acts may raise a conflict of interest. Given that the government is the largest collector and holder of personal information, the potential for such a conflict to arise is real. "
The review of the Act that must be carried out by the Minister under s75, already due to commence (November 2003) is to be postponed by one year[21]. This is said to give the Ombudsman time to absorb the Privacy role and make an informed contribution to the review[22]. The review will now expressly exclude review of individual complaint cases to avoid any suggestion of interference with that function of the Ombudsman.
The Privacy Commissioner's role in conducting internal reviews on an agency's behalf, which has never been exercised, is removed and not given the Ombudsman[23]. However, the Ombudsman will still be required to be informed about progress of internal reviews, and retain the right to make submissions[24], so oversight of internal reviews is retained to a significant extent.
It has always been a deficiency that NSW has had a half-time Privacy Commissioner, and we criticised it before the office was created[26], but this transfer of powers to the Ombudsman offers only a 'no-time' Privacy Commissioner, an Ombudsman with a myriad other responsibilities and priorities. While complaints should be investigated and conciliated well by the Ombudsman's office (at least in relation to the public sector), it is certainly questionable whether the Ombudsman will energetically and effectively carry out the advocacy functions of Privacy Commissioner, or will do so without this placing strains on his position as Ombudsman.
The Attorney-General argues that the Bill will strengthen privacy protection:
"It gives privacy protection to a large and powerful organisation, one that has never hesitated to undertake searing investigations into government agencies and to produce critical reports. If the Government really wished to emasculate privacy ... it would leave the small band of privacy staff just where they are: isolated, with an acting leader, subject to endless reviews and committee meetings. That would be the best way to ensure that nothing happened in privacy advocacy."The current structure of Privacy NSW is not sacrosanct, and there may be a better institutional structure for privacy protection in NSW than a 'stand-alone' Privacy Commissioner's office. However, as this paper has discussed, there are many reasons to be sceptical of the Government's preferred solution. Some of them could be overcome by an Ombudsman determined to effectively carry out all the functions of the Privacy Commissioner, but inherent problems will remain.
A better answer would be for the Government to scrap this Bill, appoint a new full--time Privacy Commissioner (who is not also head of the ADB) with a limited term of office, and commence an open and consultative review of the current Act (as the current Act requires) to consider the best long-term structure for privacy protection in NSW. A separate Information Commissioner combining privacy and FOI responsibilities is one model which has been adopted successfully in Australia and overseas and deserves careful consideration here.
There is no crisis here that has to be solved forthwith. This Bill should be rejected.
[**] Consultant in fair information practices and former deputy Federal Privacy Commissioner; Research Associate, Baker & McKenzie Cyberspace Law and Policy Centre <nigelwaters@primus.com.au>
[1] PPIPA 45(1) provides that a 'complaint may be made to (or by) the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual'. The term 'privacy' is undefined and does not only refer only to breaches of the Information Protection Principles in Part 2 of the Act.
[2] PPIPA s50
[3] The Federal Privacy Commissioner received 2,530 enuiries in 2002/3 concerning privacy matters exempt from the Federal Act: Annual Report 2002-03
[4] HRIPA s11(1) 'This Act applies to every organisation that is a health service provider or that collects, holds or
uses health information.'; 'organisation' includes a 'private sector person.' (s4)
[5] Amendment Bill Schedule 1 [11]
[6] Ombudsman Act 1974, s25B
[7] NSW Legislative Assembly Hansard, 29 October 2003.
[8] Amendment Bill Schedule 1 [16] repeals s44 requiring a Privacy Commissioner's Annual Report
[9] Ombudsman Act 1974 s10; the delegation power in s44 PPIPA will be repealed by the Amendment Bill Schedule 1 [16]
[10] Amendment Bill Schedule 1[17]
[11] Adele Horin 'Another tough watchdog muzzled' Sydney Morning Herald November 1 2003
[12] Mr Guadry , Second Reading Speech, 17 October 2003
[13] One cited is under the Telecommunications (Interception) (New South Wales) Act
[14] NSW Legislative Assembly Hansard, 29 October 2003.
[15] See G Greenleaf A new era for public sector privacy in NSW (1999) 5 PLPR 130 for details.
[16] Amendment Bill Schedule 1[13]
[17] Amendment Bill Schedule 1[3]
[18] Legislation Review Committee Legislation Review Digest No 4 of 2003, 27 October 2003, pgs 20-21
[19] Amendment Bill Schedule 1[20]
[20] Second Reading Speech
[21] Amendment Bill Schedule 1[21]
[22] Second Reading Speech
[23] Amendment Bill Schedule 1[19], repealing s54(3)-(5)
[24] PPIPA s54(1)-(2)
[25] G Greenleaf A new era for public sector privacy in NSW (1999) 5 PLPR 130 described it as 'a reasonably strong piece of 1980's-style information privacy legislation for the less important (ie non-exempt) parts of what remains of the NSW public sector after corporatisation and privatisation. In the unnecessarily limited realm in which it applies, it is likely to provide some individuals with an effective and inexpensive means of obtaining redress for unjustifiable invasions of privacy.'
[26] G Greenleaf 'Revolutionary' NSW Bill to set the agenda' (1996) 3 PLPR 17