1. Introduction
Updates and background for this project (Digest)
PUTTING THIS PAPER IN CONTEXT
1.1 In May 2007, the Commission published a consultation paper on the desirability of introducing a statutory cause of action for breach of privacy in New South Wales.1 This was the broadest, and possibly the most difficult, issue we were required to consider in reviewing generally whether existing legislation in New South Wales is effective in protecting individual privacy.2
1.2 Other specific issues the Commission was asked to inquire into were:
- the advantages of uniform privacy protection principles across Australia; and
- the desirability of a consistent legislative approach to privacy within NSW itself.
1.3 This consultation paper focuses on the second issue and evaluates the effectiveness of the key New South Wales statutes that protect privacy. These are: the Privacy and Personal Information Protection Act 1998 (NSW) (“PPIPA”); the Health Records and Information Privacy Act 2002 (NSW) (“HRIPA”); the Freedom of Information Act 1989 (NSW); the Local Government Act 1993 (NSW); and the State Records Act 1998 (NSW).
1.4 The first issue, uniform privacy protection, is one of the key areas of focus of a concurrent inquiry into privacy laws by the Australian Law Reform Commission (“ALRC”).3 Our terms of reference specifically require us to liaise with the ALRC in conducting our review.
ALRC’S review of privacy law
1.5 In September 2007, the ALRC published a comprehensive discussion paper on Australia’s privacy laws, containing a review of the Privacy Act 1988 (Cth) (“Privacy Act”) and related Commonwealth legislation, State and Territory regulation of privacy, and legislative and non-legislative rules, codes and guidelines. It contains approximately 300 proposals for reform. While its focus is on regulation at the federal level, there is nonetheless substantial overlap between the inquiries. For example, the impact of technology on privacy, including surveillance, the internet, smart cards and DNA-based technologies, is relevant at all levels. The Commission will not duplicate research and consultation in areas of common concern and relevance. For this reason, this consultation paper is confined to State-specific privacy laws, namely the ones noted in paragraph 1.3 above.
1.6 The cornerstone of the ALRC report is the premise that privacy laws should be consistent across all Australian jurisdictions.4 To that end, the ALRC proposes the development of Unified Privacy Principles (“UPPs”) and the enactment by the States and Territories of legislation that applies these and adopts relevant definitions used in the Privacy Act.5 The Commission fully supports this proposal for the reasons set out below, and this consultation paper should be considered in that context.
1.7 The ALRC noted that all the submissions it received in response to its Issues Paper 31, Review of Privacy, that addressed the issue of national consistency strongly endorsed its importance.6 A nationally consistent privacy regime would: “lessen unjustified compliance burden and cost”,7 especially for those organisations and agencies that operate across State borders; lessen confusion about who to approach to make a privacy complaint; and remove impediments to information sharing and national initiatives.8 This need for national consistency is heightened in an increasingly technology-driven world, where information is received and shared via the internet and other electronic devices and pathways.
1.8 We endorse the ALRC’s conclusion that:
A nationally consistent privacy regime will ensure that Australians’ personal information will attract similar protection whether that personal information is being handled by an Australian Government agency or a state or territory government agency, a multinational organisation or a small business, and whether that information is recorded in a paper file or electronically.9
1.9 The Commission also notes that the Commonwealth Senate Committee privacy inquiry and the Commonwealth Office of the Privacy Commissioner Review both concluded that privacy laws should be consistent across Australia.10 Further, the pursuit of uniform law initiatives has been our goal in all appropriate areas of law reform in NSW. For example, in Report 107, Guaranteeing Someone Else’s Debts, we recommended that the reform of the law of New South Wales relating to contracts guaranteeing another’s debt would only make sense in the context of a uniform law reform initiative.11
1.10 The ALRC proposes that there be some flexibility in the application of the UPPs and that they be drafted at a high level of generality.12 The Commission agrees that this is the right approach in order to accommodate the differences in practices and obligations across jurisdictions, public and private sectors, and individual businesses. It would also mean that uniform principles could be adopted across New South Wales privacy legislation, eliminating the need for separate Health Privacy Principles.
1.11 The ALRC also proposes that the Privacy Act should apply to all private sector organisations - State, Territory and Commonwealth - so that the States only regulate handling of personal information by its public sector agencies.13 This would result in the exemption from HRIPA of private sector health agencies. The Commission favours this approach and discusses this option in Chapter 3.
The purpose of this paper
1.12 This paper examines in detail the adequacy of the provisions of PPIPA and HRIPA and related Acts, considering how they could be amended to operate more effectively. On one view, this could be seen as a redundant exercise if there is to be a national overhaul of privacy laws that remakes existing frameworks and principles. Furthermore, the current legislation may not be the best platform for reform in meeting the challenges posed by existing and emerging technologies.
1.13 The attainment of national uniformity cannot, however, be assumed. Even if uniformity is eventually achieved, the process of developing UPPs and achieving consistency between the federal and State and Territory jurisdictions may be a lengthy one. This phase of our inquiry points to the need for reform in detail of PPIPA and HRIPA in order to enable public sector agencies in particular to achieve the more certain, efficient and fairer protection of the privacy of individuals. In doing so, our inquiry informs the debate about the development of any proposed new national regulatory framework. In short, it represents a step along the continuum of privacy reform.
1.14 Moreover, as has been pointed out above, uniformity is not necessarily pursued or achieved in detail: it may be more about uniformity at the level of principle. Uniform principles are applied in New South Wales legislation in a way that is relevant to this jurisdiction. The proposed UPPs, for example, are stated at such a high level of generality that implementation will necessarily depend on mechanisms and processes at State level. The enforcement mechanisms adopted in New South Wales legislation and the role of the Privacy Commissioner in New South Wales are necessarily questions that must be addressed from a New South Wales perspective, even if they are to operate within a national framework.
FURTHER ISSUES
1.15 The paper focuses on the detail of legislation as it currently operates in NSW. However, we are conscious that our terms of reference require us generally to inquire into “whether existing legislation in New South Wales provides an effective framework for the protection of the privacy of an individual”.14 There are two factors in particular that are relevant to an effective framework that the Commission intends to investigate further. These are:
- the extent to which appropriate information sharing is actually occurring in New South Wales; and
- the extent to which the criminal provisions of New South Wales privacy legislation are working appropriately.
Information sharing
1.16 We agree with the ALRC that “appropriate” information sharing, compliant with privacy laws, should be encouraged.15 Yet, as the ALRC has documented, a “risk averse” interpretation of privacy laws, encouraged by the difficulties of complying with inconsistent, fragmented and multi-layered privacy legislation, can result in a reluctance by agencies and organisations to share information.16 While this can impact on business as a compliance cost,17 its most serious impact is in the provision of services to vulnerable people, particularly in the area of child protection,18 which we take as an example.
1.17 It is obviously essential to have a simple and practical system for the exchange of information between agencies that promotes the safety, welfare and well-being of children. Section 248 of the Children and Young Persons (Care and Protection) Act 1998 (NSW) provides that the Department of Community Services (“DOCS”) may exchange information about a child with a prescribed body, but not that these prescribed bodies may exchange information with each other. Prescribed bodies include the Police Service, government departments, schools, TAFEs, hospitals, fostering agencies, child care centres, adoption agencies, the Family Court of Australia and Centrelink, among others.
1.18 As the law currently stands, agencies or organisations sharing information with each other may be in breach of s 248 of the Children and Young Persons (Care and Protection) Act 1998 (NSW) or of PPIPA, HRIPA or the Privacy Act, or may even be committing an offence under s 254 of the Children and Young Persons (Care and Protection) Act 1998 (NSW). That section provides that it is an offence for a person to disclose any information obtained in connection with the administration or execution of the Act. Yet not to share information either forces the agency or organisation to go through DOCS, when this may not be appropriate or otherwise necessary, or hinders the crucial role that these bodies play in protecting and caring for children. Limiting the scope of s 248 fails to recognise the common scenario where various agencies and organisations have different responsibilities in relation to a particular child and need to share information with each other to provide joint support for the child.19
1.19 Some options to address this problem are to expand s 248 to allow inter-agency information sharing, or to formulate Privacy Codes of Practice under PPIPA and HRIPA. The definition of “human services” in the Health Records And Information Privacy Code of Practice 2005 and in Part 4 of the Privacy Code of Practice (General) 2003, which allow public and private organisations that provide “human services” to collect, use and disclose personal information about an individual to each other, could be expanded by explicitly including agencies that provide children’s or policing services. Alternatively PPIPA and HRIPA could be amended to deal specifically with the problem and the impact of s 248.
1.20 The Commission invites submissions on the extent to which there are cultural and legal impediments to appropriate information sharing in New South Wales. We also invite submissions on how the issue should be addressed.
Criminal sanctions
1.21 In our consultation paper, Invasion of Privacy, we outlined the extent to which the criminal law protects individuals against privacy invasions.20 Section 62 and s 63 of PPIPA impose criminal sanctions for, respectively: corrupt disclosure and use of personal information by a public sector official; and offering to supply personal information that has been disclosed unlawfully. Section 67 imposes criminal sanctions on the Privacy Commissioner or a staff member for disclosure of information otherwise than in accordance with the legislation. Section 68 imposes criminal sanctions in relation to dealings with the Privacy Commissioner.
1.22 In line with s 62 and 63 of PPIPA, s 68 and 69 of HRIPA impose criminal sanctions for, respectively: corrupt disclosure and use of health information by a public sector official; and offering to supply health information that has been disclosed unlawfully. Section 70 of HRIPA imposes criminal sanctions for using threats, intimidation or misrepresentations to: (1) stop, or try to stop, a person from requesting access to health information, making a complaint to the Privacy Commissioner or Tribunal, or applying for review of conduct, or from withdrawing a request, complaint or application; or (2) force a person to give consent or to do something without consent, where the Act requires consent.
1.23 While the Commission is aware of one pending case under privacy laws,21 the criminal sanction provisions of the legislation considered in this consultation paper do not appear to have been used in practice. We invite submissions on the extent to which the provisions are adequate and satisfactory with a view to determining the extent to which they ought to be used as a method of protecting individual privacy.
AN OUTLINE OF THE CHAPTERS
1.24 The substantive part of the paper begins, in Chapters 2 and 3, with an overview of the current federal and New South Wales privacy statutes. Chapter 2 focuses on federal privacy laws, in particular, the Privacy Act. Chapter 3 describes the operation and provisions of PPIPA and HRIPA and provides a summary of the Information Protection Principles and Health Privacy Principles, their roles and purposes, applicable exemptions and complaints-handling mechanisms.
1.25 Chapter 4 examines ways of achieving greater consistency of structure within and between New South Wales privacy laws. In particular, the chapter seeks views on:
- whether the structural basis of PPIPA and HRIPA is the most effective way of promoting the aims of each piece of legislation;
- whether New South Wales should continue, under HRIPA, to regulate the privacy of health information handled by the private sector, given the ALRC’s proposal for this to be regulated nationally; and
- whether, in the light of the above point, if HRIPA is restricted to the regulation of health information held by the public sector only, the need for separate health privacy legislation in New South Wales persists.
1.26 Chapter 5 inquires into whether the scope of PPIPA and/or HRIPA can or should be extended: by limiting the numerous exemptions in the legislation, particularly exemptions to the definition of “personal information”; and/or by giving express protection to areas, subject matters or activities beyond information privacy. It also considers whether an expanded range of remedies should be made available under PPIPA for breaches of privacy. The chapter then discusses the prospect of a statutory cause of action for invasion of privacy and how this would intersect with PPIPA and HRIPA and other privacy laws.
1.27 Chapters 6 and 7 take the inquiry to a more detailed level. They identify specific problems with the operation of particular provisions of PPIPA and HRIPA. Chapter 6 focuses on the difficulties that agencies and the public experience in relation to the operation of the Privacy Principles. Chapter 7 examines issues relating to: s 37 and 38 of PPIPA; privacy codes of practice; public interest directions; complaints about, and review of, agency/organisation conduct; and two exemptions arising from s 24 and 25 of PPIPA.
1.28 As well as the ALRC’s review of privacy laws, the NSW Health Department is presently conducting a statutory review of HRIPA. The Commission will draw on the findings of both those reviews in formulating our final recommendations. The chapters do, however, raise 68 issues for community consultation and response and make 20 proposals for reform.
1.29 Chapter 8 examines the relationship of PPIPA to other statutes that afford privacy protection, namely the Freedom of Information Act 1989 (NSW), the Local Government Act 1993 (NSW) and the State Records Act 1998 (NSW). It examines the duplication and inconsistencies between PPIPA and these statutes. It also considers the arguments for and against amalgamation of the oversight of privacy and freedom of information.
FOOTNOTES
1. New South Wales Law Reform Commission, Invasion of Privacy (Consultation Paper 1, 2007).
2. Terms of Reference are set out at p viii.
3. See Australian Law Reform Commission, Review of Privacy (Issues Paper 31, 2006); Australian Law Reform Commission, Review of Privacy (Discussion Paper 72, 2007).
4. ALRC DP 72, [1.5].
5. ALRC DP 72, Proposal 44.
6. ALRC DP 72, [4.11].
7. ALRC DP 72, [4.11].
8. ALRC DP 72, [4.14].
9. ALRC DP 72, [4.16].
10. Senate Legal and Constitutional References Committee, Parliament of Australia, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), Rec 3; Office of the Privacy Commissioner, Getting in on the Act: The Review of Private Sector Provisions of the Privacy Act 1988 (2005), Recs 2-7.
11. New South Wales Law Reform Commission, Guaranteeing Someone Else’s Debts (Report 107, 2006), Rec 4.1.
12. See ALRC DP 72, vol 2 pt D.
13. ALRC DP 72, Proposal 41.
14. Terns of reference are at p viii.
15. ALRC DP 72, [11.10]-[11.11].
16. ALRC DP 72, [11.1]-[11.9].
17. ALRC DP 72, [11.9].
18. See ALRC DP 72, [11.8].
19. Examples include: carrying out a risk assessment of a child; principals of schools notifying each other of a “risk of harm” situation where the child has changed schools; or an agency obtaining police information to investigate allegations against an employee, particularly where that employee is working with children.
20. New South Wales Law Reform Commission, Invasion of Privacy (Consultation Paper 1, 2007), [2.90]-[2.112].
21. In a case not heard at the time of writing, two police officers were charged with unlawfully disclosing personal information after they disclosed to a man in their custody that his girlfriend was born a male but underwent gender reassignment surgery: Kim Arlington, “Accused joked about transvestite lover he allegedly assaulted” The Daily Telegraph (Sydney), 6 February 2008.
