Banner
 spacer
print  Print page  
Consultation Paper 3 (2008) - Privacy legislation in New South Wales


3. Current privacy protection - New South Wales

Updates and background for this project (Digest)

INTRODUCTION

3.1 In New South Wales, there are two main statutes that offer privacy protection, principally in relation to the handling of personal information, namely the Privacy and Personal Information Protection Act 1998 (NSW) (“PPIPA”) and the Health Records and Information Privacy Act 2002 (NSW) (“HRIPA”). This chapter provides a summary of the coverage of each statute, the role and purpose of the information protection principles and the health privacy principles, the applicable exemptions and the complaints handling mechanisms.

3.2 Other New South Wales statutes that regulate aspects of privacy are the Workplace Surveillance Act 2005 (NSW), Listening Devices Act 1994 (NSW), Crimes (Forensic Procedures) Act 2000 (NSW), Freedom of Information Act 1989 (NSW), State Records Act 1998 (NSW) and the Local Government Act 1993 (NSW). These are dealt with in brief in paragraph 3.93.

THE PRIVACY AND PERSONAL INFORMATION PROTECTION ACT 1998 (NSW)

3.3 PPIPA is intended “to provide for the protection of personal information, and for the protection of the privacy of individuals generally; to provide for the appointment of a Privacy Commissioner; to repeal the Privacy Committee Act 1975 (NSW); and for other purposes”1 and regulates the handling of personal information (excluding health information)2 by New South Wales public sector agencies. Unlike the Privacy Act 1988 (Cth), it does not cover the private sector. It defines personal information as “information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.”3

3.4 It sets out Information Protection Principles (“IPPs”) that are similar, but not identical, to the Commonwealth IPPs found in the Commonwealth Act. There are a number of differences between the Commonwealth IPPs and the New South Wales IPPs. For example, in relation to the principle relating to storage and security of personal information, PPIPA provides that the relevant public sector agency must not keep information longer than necessary. Further the agency must ensure secure disposal of personal information, in accordance with retention and disposal requirements.4 The Commonwealth IPPs are silent on this matter.

Background and development of PPIPA

3.5 PPIPA established the first enforceable standards for the collection, storage, use and disclosure of personal information in the public sector in New South Wales. It replaced the original Privacy Committee Act 1975 (NSW), which had put New South Wales at the forefront of privacy protection in the world, although it did not contain any enforceable standards. PIPPA was passed in 1998, but commenced in stages, not requiring public sector agencies to be bound by the standards until July 2000.

3.6 The objectives of PPIPA are set out in the Second Reading Speech of the then Attorney General, the Hon Jeff Shaw, QC, as follows:

    • to promote the protection of the privacy of individuals;
    • to specify information protection principles that relate to the collection, use and disclosure of personal information held by public sector agencies;
    • to require public sector agencies to comply with these principles;
    • to provide for the making of privacy codes of practice for the purpose of protecting the privacy of individuals;
    • to provide for the making of complaints about privacy related matters;
    • for the review of conduct that involves the contravention of the information protection principles or privacy codes of practice; and
    • to establish an office of Privacy Commissioner and confer on the Privacy Commissioner functions relating to privacy and the protection of personal information.
3.7 PPIPA has been amended from time to time since its enactment. In 2002, the right of prisoners and their families to receive monetary compensation for breaches of privacy by government agencies was removed.5 In 2004, other amendments passed in 2002 came into operation. One amendment allowed sensitive personal information to be disclosed only where there is a serious and imminent threat to the life or health of the individual concerned or another person. Another amendment ensured that public sector agencies and personnel who give access to personal information, in good faith, are not liable for those acts.6 Regulations making transitional arrangements7 and creating exemptions8 have also been passed.

3.8 The New South Wales Attorney General’s Department conducted a statutory review of PPIPA in 2004. This was in accordance with the legislative requirement that the Act be reviewed five years from its date of commencement to ensure that the policy objectives remained valid and that the provisions in the Act remained appropriate for securing the objectives.9 The review considered over 70 submissions and in its report made 27 recommendations for reform, many of which are considered in this inquiry.

What is covered?

3.9 While there are many different aspects to privacy protection including the protection of bodily privacy, privacy of personal behaviour, privacy of communications and territorial privacy, PPIPA is primarily concerned with privacy of personal information. This is expansively defined to include an individual’s fingerprints, retina prints, body samples or genetic characteristics.10 If certain information is considered “personal information” under PPIPA, then information privacy focuses on the need to ensure that an individual’s personal information is dealt with in a manner that is fair and reasonable. It is often confused with secrecy and confidentiality but it is in fact a much broader concept.

3.10 Although PPIPA primarily deals with information privacy, it does have a wider ambit by virtue of the Privacy Commissioner’s general power to “ receive, investigate and conciliate complaints about privacy related matters” [emphasis added].11 However, the remedy available for breaches of privacy is limited to conciliation. This issue is discussed in detail in Chapter 5.

What is “personal information”?

3.11 As noted above, “personal information” is a key concept in determining the scope of PPIPA and is defined in s 4 to mean any information or opinion about an identifiable person. It includes:

    • written records about a person;
    • a photograph or image of a person;
    • fingerprints or DNA samples that identify a person; and
    • information about a person that is not written down, but which is in the possession or control of the agency.
3.12 Privacy NSW is of the view that “personal information” does not always have to include a name. The test is whether a person’s identity can reasonably be ascertained from the information or opinion.12 Thus, the provision of other details may be sufficient to identify a person even if the name is withheld. The name alone, in the absence of any other information, is also often adequate to qualify as personal information in contexts where it implies some further information that would itself qualify as personal information, for instance, the name appearing on a debt recovery list.13

3.13 The definition of “personal information” is, however, subject to a wide range of exemptions. Section 4 of PPIPA sets out the range of information that is not to be included within the definition of “personal information” as follows:

      (a) information about an individual who has been dead for more than 30 years,

      (b) information about an individual that is contained in a publicly available publication,

      (c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act,

      (d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth,

      (e) information about an individual that is contained in a protected disclosure within the meaning of the Protected Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a protected disclosure,

      (f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997,

      (g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry,

      (h) information about an individual arising out of a complaint made under Part 8A of the Police Act 1990,

      (i) information about an individual that is contained in a document of a kind referred to in clause 1 or Schedule 1(restricted documents) to the Freedom of Information Act 1989 (ie Cabinet or Executive Council documents),

      (j) information or an opinion about an individual’s suitability for appointment or employment as a public sector official,

      (ja) information about an individual that is contained about an individual under Chapter 8 of the Adoption Act 2000,

      (k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.

This dramatic cutting back of what constitutes personal information by virtue of the number of exemptions is analysed in Chapter 5.14

Who is covered?

3.14 PPIPA deals with management of information privacy by all public sector agencies, defined in s 3 to include: all State government departments, statutory or declared authorities, the NSW Police service, local councils and bodies whose accounts are subject to the Auditor General.

3.15 Section 3 specifically excludes State owned corporations from the definition of “public sector agency”. The rationale for this exclusion was originally to ensure that they would not have to comply with privacy principles that equivalent private sector organisations were not required to comply with. Subsequently however, the federal privacy legislation was extended to apply to the private sector and state instrumentalities were required to be incorporated under the Corporations Act 2001 (Cth) or be specifically prescribed for the Privacy Act 1988 (Cth) to be applicable. To date, only four New South Wales State owned corporations have been prescribed. The question of whether State owned corporations should continue to be excluded from the operation of PPIPA is explored in Chapter 5.

3.16 There are further provisions strewn through PPIPA that exempt many agencies and entities from the operation of the Act. For instance, s 27 of PPIPA exempts law enforcement agencies, namely the Independent Commission Against Corruption, the Police Service, the Police Integrity Commission, the Inspector of the Police Integrity Commission, the staff of the Inspector of the Police Integrity Commission and the NSW Crime Commission, from the requirement to comply with the IPPs, which effectively covers the scope of PPIPA. While the rationale for this exemption was to ensure that “the purpose of the legislation is not to protect secrecy in dealings or to protect the Government from accountability for its actions”,15 Privacy NSW is concerned that there are negative side effects of such exemptions.16 This issue is canvassed in detail in Chapter 5.

3.17 There are many other similar limitations to the scope and operation of PPIPA, discussed in detail in Chapter 5.

The Information Protection Principles

3.18 Sections 8-19 set out 12 Information Protection Principles (IPPs), described as the “backbone” of PPIPA, that must be adhered to by all public sector agencies in the management of personal information. These principles can be grouped into five main categories according to the areas they regulate:

    • collection;
    • storage;
    • access;
    • use; and
    • disclosure.
3.19 Collection of information is dealt with in IPPs 1-4,17 which require that collection must be:
      1. for a lawful purpose and only if it is directly related to the agency’s activities and necessary for that purpose;18

      2. collected directly from the person concerned, unless the person concerned has given consent to obtain the information from another person or the person concerned is a minor (in which case, parents and guardians can give consent);19

      3. collected in an open manner in that before collecting personal information, agencies must inform the person of the actual collection, the purpose/s of collection, the intended recipients, whether the supply of information is required by law or is voluntary, whether the person can have access to and correct the information;20 and

4. relevant, accurate, up to date, complete and not excessive.21

3.20 Storage of information is dealt with in IPP 5:

      5. Agencies must ensure that the information is stored securely and that it is not kept for longer than is necessary. When the information is disposed of, such disposal must also be done appropriately. 22
3.21 Access to information is dealt with in IPPs 6-9:
      6. All reasonable steps must be taken to enable a person to ascertain what information is being stored, the purpose of storage and any rights the person may have to access the information,23 with a view to ensuring transparency.

      7. The information held by an agency must also be accessible at the request of the person concerned, and must be provided without unreasonable delay or expense. 24

      8. The agency must, at the request of the person concerned, make necessary amendments to the information to ensure that the information is accurate, relevant and up to date, complete and not misleading.25

3.22 Use of information is dealt with in IPPs 9 and 10:
      9. Agencies must ensure that the information is accurate before using it.26

      10. The information can only be used for the limited purpose for which it was collected, for a directly related purpose, or for a purpose to which consent has been given. It can also be used without consent in order to deal with a serious and imminent threat to a person’s health or safety.27

3.23 Disclosure of information is dealt with in IPPs 11 and 12:
      11. Disclosure is restricted to information with consent or for a related purpose that is unlikely to be objected to. Disclosure without consent is only permitted in order to deal with a serious and imminent threat to any person’s health or safety.28

      12. Sensitive information is safeguarded and can only be disclosed with consent or without consent to deal with a serious and imminent threat to any person’s health or safety.29

Exemptions

3.24 The exemption mechanism that applies to information privacy is fourfold:

    • exemptions within PPIPA;
    • exemptions effected by regulations;
    • exemptions in privacy codes of practice, made by the Attorney General under PPIPA; and
    • exemptions in public interest directions, made by the Privacy Commissioner under PPIPA.
Exemptions within PPIPA

3.25 The exemptions in PPIPA are contained in various parts of the Act and apply to various aspects of its coverage. Division 3 of Part 2 deals with specific exemptions from the IPPs. Some exemptions apply in relation to all IPPs,30 while others limit the operation of particular IPPs.31

3.26 Exemptions also arise out of the definitions. For instance, as stated above, the definition of a “public sector agency” specifically excludes State owned corporations from its operation,32 just as the definition of “personal information” excludes a range of information in 12 different circumstances.33

3.27 There are also various investigative agencies that are specifically exempted from the operation of PPIPA, such as the Independent Commission Against Corruption, the NSW Police Force and the NSW Crime Commission.34 Other organisations, such as the Ombudsman’s Office, the Health Care Complaints Commission, the Anti-Discrimination Board and the Guardianship Board, are exempted from the application of a particular IPP relating to sensitive information.35

3.28 Yet another category of exemption applies to courts, tribunals and Royal Commissions but only in respect of their respective judicial and Commission functions.36

3.29 Section 5 of PPIPA exempts the Freedom of Information Act 1989 (NSW) from its ambit while s 20(5) imports restrictions from the Freedom of Information Act into PPIPA. However, there appears to be some concern over the practical application of these provisions and the relationship between privacy and access to information. This is discussed in detail in Chapter 6 at paragraph 6.32 and in Chapter 8 at paragraph 8.10. Similarly, the Local Government Act 1993 (NSW) makes provision for access to information giving rise to possible competing statutory requirements between PPIPA and the Local Government Act 1993 (NSW). The interaction between privacy and access to information is dealt with in Chapter 7.

Other exemption mechanisms - regulations, codes and directions

3.30 PPIPA also establishes mechanisms, namely regulations, codes and directions, by which exemptions are made.

3.31 Regulations. Section 71 makes provision for the Governor to make regulations exempting specified persons or public sector agencies from any of the provisions of PPIPA. The Privacy and Personal Information Protection Regulation 2005 exempts:

    • certain information contained in archives, or held by a library, art gallery or museum or the State Records Authority from the definition of personal information;
    • certain public sector agencies from the requirements of s 33 to prepare and implement a privacy management plan;37
    • certain public registers and rolls kept by: the Registrar General under the Real Property Act 1900 (NSW) and the Conveyancing Act 1919 (NSW); the Valuer General; the Attorney General with respect to the register of justices; and the Minister administering the Water Management Act 2000 (NSW) from the provision of Part 6 of PPIPA; and 38
    • the Law Society and the Bar Association from the operation of PPIPA generally.39
3.32 Privacy codes. Part 3 of Division 1 provides for the making of privacy codes of practice by an order of the Attorney General in consultation with the Privacy Commissioner. This differs from the making of regulations, which require no consultation with the Privacy Commissioner, but can be disallowed by Parliament. Privacy codes are made “for the purpose of protecting the privacy of individuals”40 and “may regulate the collection, use and disclosure of, and the procedures for dealing with, personal information held by public sector agencies”.41 Section 30 states that a privacy code may modify IPPs and in particular, may:
      (a) specify requirements that are different from the requirements set out in the principles, or exempt any activity or conduct of or by the public sector agency from compliance with any such principle, and

      (b) specify the manner in which any one or more of the information protection principles are to be applied to, or are to be followed by, the public sector agency, and

      (c) exempt a public sector agency, or class of public sector agency, from the requirement to comply with any information protection principle.

3.33 The Attorney General has approved a number of privacy codes of practice that modify or waive the application of the IPPs. An issue arising out of the scope of privacy codes is raised in Chapter 7 at paragraphs 7.12-7-13.

3.34 Directions. The Privacy Commissioner may make a written direction approved by the Attorney General exempting agencies from complying with IPPs or privacy codes or may direct that an IPP or code is modified as specified.42 Such directions are referred to as “public interest directions” because the Privacy Commissioner must be satisfied that the public interest in requiring the public sector agency to comply with the principle or code is outweighed by the public interest in making the direction. While such directions are intended as short-term solutions to problems complying with a code or principle, the danger is that they remain in operation.

Enforcement

3.35 Section 53 of PPIPA states that “a person who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct”. Thus, if a complaint is about personal information and against a New South Wales public sector agency, the aggrieved person could seek an internal review of the complaint.

3.36 Enforcement of the privacy principles set out in PPIPA is therefore primarily through administrative review where individual applicants may seek internal review of the conduct or a decision. This process could result in binding findings and enforceable remedies available on subsequent application to the Administrative Decisions Tribunal. However, there are few applications filed and fewer decisions made, with the majority being resolved by alternative dispute resolution processes.43

3.37 PPIPA also aims to protect “the privacy of individuals generally”. Section 45(1) states that “a complaint may be made to (or by) the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual.”

3.38 Section 45(2) provides that the subject matter of a complaint may relate to conduct to which the alternative process of administrative review applies, implying that its scope is broader than the breach of the IPPs by a public sector agency. Thus, if the complaint is about physical privacy and against an organisation that is not a public sector agency, the person can make a complaint to Privacy NSW.

3.39 Although the Privacy Commissioner may investigate any complaint about an alleged violation or interference with the privacy of an individual, even those that go beyond the conduct of the New South Wales public sector agencies and a breach of the IPPs, it would appear that the focus is on the individual complainant, rather than investigation and resolution of systemic privacy issues.44

3.40 While there are two avenues for complaint resolution under PPIPA, there is no requirement that complainants make a choice. Indeed, s 45 allows the Privacy Commissioner to accept complaints that could also be the subject of the internal review mechanism.45 This was clearly the intention of the provision as stated by the then Attorney General in the second reading speech:

      … in cases in which the complaint relates to a breach of a data protection principle, relevant code, or breaches of the public register provisions, the complainant can choose to have the Commissioner conciliate the matter or alternatively to seek an internal review by the agency with a right of review by the Administrative Decisions Tribunal.46
3.41 However, in practice it appears that the Privacy Commissioner does ask complainants to choose which method they prefer, that is, administrative review process or complaints to the Commissioner.47 In any event, given the six month time limit within which an internal review application must be lodged, it is unlikely that an applicant can have the benefit of an investigation by the Privacy Commissioner before seeking an internal review. Each of the review mechanisms is discussed below.

Administrative review process via internal review

3.42 Section 53(2) provides that an internal review is to be undertaken by the public sector agency concerned. It is an internal investigation to assess whether or not the complaint is justified, that is, whether or not the agency has complied with its privacy obligations set out in the IPPs. It is conducted by an employee or officer of the agency but not by the individual involved in the subject of the application, and is overseen by Privacy NSW on the application of the aggrieved person. Alternatively, the internal review can be conducted by Privacy NSW on behalf of the agency.48 If the internal review is conducted by the agency, Privacy NSW is entitled to make submissions to the agency in relation to the subject matter of the application.49 Crucial to the process is that the application for review must be lodged at an office of the public sector agency within six months of the date when the applicant first became aware of the conduct complained of.50

3.43 Following the review, the agency may choose to take no further action or may do one or more of the following:

    • make a formal apology;
    • take remedial action, such as the payment of compensation;
    • provide an undertaking that the conduct will not be repeated; and/or
    • implement administrative measures to ensure that the conduct is not repeated.51
3.44 If the internal review is not completed within 60 days,52 or if the applicant is dissatisfied with the findings or the action taken, the applicant may apply to the Administrative Decisions Tribunal (“ADT”) for a review of the conduct that was the subject of the internal review.53 The ADT must notify the Privacy Commissioner of any such application and the Commissioner has the right to appear and be heard in any such proceedings.54

3.45 On reviewing the conduct of the agency, the ADT can make binding orders requiring, for example, that the agency change its practices, apologise to the complainant or pay damages by way of compensation. Compensation only applies in limited circumstances, such as if the applicant has suffered loss or damage as a result of the conduct.55 It does not apply where the conduct occurred while the applicant was a convicted inmate.56

3.46 A party to the proceedings may appeal to an Appeal Panel of the Tribunal against a decision or order of the Tribunal.57

Complaints to the Privacy Commissioner

3.47 Among the functions of the Privacy Commissioner listed in s 36(2) are the functions to “receive, investigate and conciliate complaints about privacy related matters (including conduct to which Part 5 applies)”58 and to “conduct such inquiries, and make such investigations, into privacy related matters as the Privacy Commissioner thinks appropriate.”59 In relation to such complaints, s 45(1) states that “a complaint may be made about the alleged violation of, or interference with, the privacy of an individual”. Chapter 7 at paragraph 7.21 raises the issue that there is some ambiguity about who may make the complaint that may require clarification.

3.48 Section 45(2) provides that the subject matter of a complaint may relate to conduct to which the internal review process applies, implying that a complaint may be made about other privacy related matters. This interpretation is supported by s 46(2), which provides that if the complaint relates to conduct for which the internal review process is available, the Privacy Commissioner must inform the complainant of the review process and the remedial action available under that process.

3.49 Sections 45-51 of PPIPA set out the Privacy Commissioner’s complaints handling powers. These are:

    • inquiry and investigation (with the powers, authorities, protections and immunities available to a Royal Commissioner);
    • conciliation; and
    • reporting (including reporting to Parliament) on any matter pertaining to the privacy protection of individuals.
3.50 Once the Privacy Commissioner has conducted a preliminary assessment, he or she may decide not to deal with a complaint because: the complaint is frivolous; it is exempted; there are other means of redress; or it would be more suitably dealt with by the internal review process.60 The Privacy Commissioner may also choose to refer the matter to other authorities for resolution.61 Even if the Privacy Commissioner declines to deal with a complaint or refers it to another authority for resolution, he or she may still conduct an inquiry or investigation into any general issues or matters raised in connection with the complaint.62

3.51 If, however, the Privacy Commissioner decides to deal with the matter, he or she must endeavour to resolve the complaint by conciliation.63 The Privacy Commissioner may make such inquiries and investigations as appropriate64 and may request the complainant and the respondent to appear in the proceedings.65 The Privacy Commissioner may make a written report on findings and recommendations in relation to the complaint.66

3.52 Determining whether a particular complaint is a breach of PPIPA, that is, whether it is a “violation or interference with the privacy of an individual”, is somewhat difficult in the case of complaints in relation to forms of privacy other than information privacy, as PPIPA provides no specific guidance in this regard. While the relevant standards for assessing a complaint about information privacy against a public sector agency would be the IPPs and the public register provisions, Privacy NSW uses the standards set out in the Complaints Handling Protocol available on their website to determine the validity of other complaints.67 This aspect of PPIPA’s privacy protection is discussed in detail in Chapter 5.

3.53 Complaints to the Commissioner do not give rise to enforceable remedies in that the Commissioner does not have the power to make binding orders or recommendations. In exceptional circumstances, the Commissioner can make a special report to Parliament on the findings of an investigation.

THE HEALTH RECORDS AND INFORMATION PRIVACY ACT 2002 (NSW)

Historical background

3.54 In December 2000, the NSW Ministerial Advisory Committee on Privacy and Health Information presented a report entitled Panacea or Placebo to the New South Wales Government. The central recommendation of this report was that personal health information required specific statutory protection. Accordingly, the Health Records and Information Privacy Act 2002 (NSW) (“HRIPA) was passed in September 2002 and commenced on 1 September 2004, establishing “a comprehensive regime for the management and protection of health information across both the private and public sectors in New South Wales”.68

3.55 HRIPA protects the privacy of an individual’s health information.69 It does this by requiring those who handle health information in both the public and private sectors to comply with 15 Health Privacy Principles.70 Coverage of the private sector is possibly the most notable distinction between PPIPA and HRIPA, although the protection afforded is limited to health information.

3.56 As HRIPA was passed several years after PPIPA, it was drafted with the benefit of experience of, and hindsight into, the operation of privacy laws in New South Wales. As noted in the Second Reading Speech, the development of HRIPA was guided by three principles:

      The first is to recognise obligations already imposed on service providers and health service providers by the existing laws, such as the Federal Privacy Act.

      The second principle is to draw together the best elements of existing privacy legislation at a local, national and international level. In this regard, particular attention has been given to the obligations currently imposed on the public sector in New South Wales under the Privacy and Personal Information Protection Act, as well as the reforms recently introduced in Victoria in the Health Records Act. The experience to date in other jurisdictions has been useful to the development of this bill. It reinforces the need for a flexible and adaptive legislative scheme capable of accommodating the complexities arising in the management of health information.

      The third principle is the aim to ensure a readily accessible and usable set of principles having due regard to both individual rights and the special needs arising in the management and use of health information. In this regard the bill endeavours to strike an appropriate balance between the desire of consumers for privacy on the one hand, and the need to safeguard the health and safety of individuals and the public, and promote safe and effective health service delivery on the other.71

3.57 The purpose of HRIPA, as set out in s 3, is to:

    promote fair and responsible handling of health information by:

    (a) protecting the privacy of an individual’s health information that is held in the public and private sectors, and

    (b) enabling individuals to gain access to their health information, and

    (c) providing an accessible framework for the resolution of complaints regarding the handling of health information.


3.58 The objects are:

    (a) to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information, and

    (b) to enhance the ability of individuals to be informed about their health care, and

    (c) to promote the provision of quality health services.


3.59 While there are still areas that warrant improvement and reform, HRIPA is considered a significant improvement on other existing privacy legislation, both structurally and in terms of achieving its objects.72

What is covered?

3.60 “Health information” is defined in s 6 to be a particular type of personal information, as set out in paragraph 3.61 below. Section 5 of HRIPA defines personal information in similar terms to the definition in PPIPA, although with four further exclusions from the definition. These are:

      (c) information about an individual that is contained in a document kept in a library, art gallery or museum for the purposes of reference, study or exhibition,

      (d) information about an individual that is contained in a State record under the control of the State Records Authority that is available for public inspection in accordance with the State Records Act 1998;

      (e) information about an individual that is contained in the archives within the meaning of the Copyright Act 1968 of the Commonwealth,

      (n) information about an individual that forms part of an employee record (within the meaning of the Privacy Act 1988 of the Commonwealth about the individual held by a private sector person.

3.61 Section 6 of HRIPA defines “health information” to mean personal information or an opinion about:73
    • a person’s physical or mental health or disability;
    • a person’s express wishes about the future provision of health services for themselves;
    • other personal information collected to provide, or in providing a health service;
    • other personal information about an individual collected in connection with the donation of human tissue or body parts;
    • other personal information, such as genetic information about a person arising from a health service provided to them that predicts or could predict the health of that person or of their siblings, relatives or descendants and personal information which has been collected to provide or personal information collected in providing a health service.
3.62 A health service, whether provided as public or private services, is defined in s 4 to include:
      (a) medical, hospital and nursing services;

      (b) dental services;

      (c) mental health services;

      (e) pharmaceutical services;

      (f) community health services;

      (g) health education services;

      (h) welfare services required to implement the services referred to above;

      (i) services provided by podiatrists, chiropractors, osteopaths, optometrists, physiotherapists, psychologists and optical dispensers in the course of providing health care;

      (j) services provided by dietitians, masseurs, acupuncturists, occupational therapists, speech therapists, audiologists, audiometrists and radiographers in the course of providing health care;

      (k) services provided in other alternative health care fields in the course of providing health care;

      (l) a service prescribed by the regulations as a health service for the purposes of this Act.

3.63 A “health service provider” is an organisation that provides health services, as defined above, unless exempted by the regulations. An “organisation” is defined as “a public sector agency or a private sector person”. A “private sector person” is defined to mean: a natural person; a body corporate; a partnership; or a trust or any other unincorporated association or body; but does not include a “small business operator”.74 Section 11 provides that the “Act applies to every organisation that is a health service provider or that collects, holds or uses health information”.

3.64 Thus, the health service providers regulated by HRIPA range from individual GPs and partnerships of practitioners such as physiotherapists, through to large private and public hospitals and larger organisations that handle health information and have an annual turnover of more than $3million, such as insurance companies that deal with health information.

The Health Privacy Principles

3.65 The key to the operation of HRIPA are the 15 Health Privacy Principles (“HPPs”), which are the legal obligations describing what New South Wales public and private sector organisations must do when they collect, hold, use and disclose health information. Whereas the IPPs are contained in the body of PPIPA, the HPPs are contained in Schedule 1 to HRIPA and are, as a result, easier to identify.

3.66 The 15 HPPs can be grouped into 7 categories according to the areas they regulate:

    • collection;
    • storage;
    • access;
    • use;
    • disclosure;
    • identifiers and anonymity; and
    • transferrals and linkage.
3.67 In addition to the HPPs listed above, Part 4 of HRIPA sets out special rules in relation to:
    • the retention of health information by health service providers;75
    • providing access to information;76 and
    • amending health information.77
These special rules are additional to, and are meant to assist with the operation of, the general HPPs and are discussed below within the context of the relevant HPPs.

3.68 Collection of information is dealt with in HPPs 1-4. As is the case with the IPPs,78 collection of health information must be for a lawful purpose and must be directly related to the organisation’s activities and reasonably necessary for that purpose. 79 The information collected must also be relevant to that purpose, accurate and up to date. It must not be excessive and should not intrude unreasonably on the personal affairs of the individual to whom the information relates.80 Collection must also be done in an open manner where agencies must inform the person concerned of the identity of the organisation collecting the information, the purpose of collection, its use, and so forth.81 An organisation must collect the health information directly from the individual concerned, unless unreasonable or impracticable to do so.82 This differs from IPP 2, which allows for consent to be given to the collection of information from a third party.

3.69 Storage is dealt with in HPP 5. As for IPP 5, health information must be stored securely, not kept for any longer than is necessary and protected from unauthorised access.83

3.70 Section 25 of HRIPA (Division 2 of Part 4) contains an additional provision applicable to private sector persons. Private sector health service providers must retain health information collected while the individual was an adult for 7 years from the last occasion on which a health service was provided. In the case of health information collected from a person under the age of 18 years, this must be retained until the person turns 25.

3.71 Access and accuracy are dealt with in HPPs 6-9. The organisation holding health information must be transparent in providing details about what information is being stored, why such information is being stored and what access rights exist.84 It is also a requirement that such information is accessible,85 correct, capable of amendment at the request of the individual to whom the information relates86 and accurate.87

3.72 Division 3 of Part 4 (s 26-32) of HRIPA contains additional provisions applicable to private sector persons when an individual requests access to his or her health information. Similarly, Division 4 (s 33-37) makes provision for an individual to request a private sector person to amend that individual’s health information.

3.73 Use of health information is dealt with in HPP 10. Generally, an organisation can only use information for the purpose for which it was collected or a directly related purpose unless the individual concerned has consented to any other use. There are, however, a range of circumstances when health information may be used for other purposes where necessary, such as: where there is a serious threat to health and welfare; for management of health services, training or research; to find a missing person; investigating suspected unlawful activity; law enforcement; complaint handling or investigative functions; and for circumstances prescribed by the regulations.

3.74 Disclosure of health information is dealt with in HPP 11. As with HPP 10, health information cannot be disclosed except for the purpose for which it was obtained or a directly related purpose, unless the individual to whom the information relates has consented. There are similar exceptions to this principle as there are for HPP 10. In addition, an exception is allowed for compassionate reasons.88

3.75 Identifiers and anonymity are dealt with in HPP 12 and 13. Wherever lawful and practicable, individuals must be entitled to receive health services anonymously. An identifier is defined in s 4 of HRIPA to mean something (usually a number) that an organisation assigns to a person in order to uniquely identify that person, such as a person’s Medicare number. An organisation can only provide an identification number if it is reasonably necessary to enable the organisation to carry out its functions efficiently. A private sector person may adopt an identifier assigned to an individual by a public sector agency only if the individual has consented to such use or such use is required or authorised by law. Similarly a private sector person may use or disclose such an identifier only in exceptional circumstances. While there are great benefits for efficient record management in assigning numbers or other identifiers, they also pose a major privacy risk. This is discussed in greater detail in Chapter 6 at paragraphs 6.66-6.71.

3.76 Transferrals and linkage are dealt with in HPPs 14 and 15. An organisation must not transfer health information about an individual to any person or body outside New South Wales or to a Commonwealth agency unless the individual consents to the transfer, or other specified circumstances exist.89 An organisation must not include health information about an individual in a health records linkage system (which is a computerised system designed to link health records) unless the individual has expressly consented to the information being included. Again, exceptions to this principle are available if the organisation is lawfully authorised not to comply with the principle or where non-compliance is otherwise permitted.90

Consent

3.77 Consent is a crucial concept in the operation of HRIPA but it has not been defined. Except for HPPs 4 and 15, which require express consent, it is also unclear from the legislation whether consent, in cases where it is required, ought to be express or implied.

3.78 Under HPP 4, an organisation is not required to comply with the requirement to notify if the individual to whom the information relates has expressly consented to the organisation not complying with it.91 HPP 4 requires an agency to notify the individual of why their health information is being collected, what will be done with it and who else might see it. Fulfilling these notification obligations does not amount to seeking consent and must not be confused with consent.

3.79 Similarly, under HPP 15, an organisation must not include health information about an individual in a health records linkage system unless the individual has expressly consented to the information being so included.

3.80 In certain circumstances, the exemption provisions override the requirement for consent, such as where the information is being used for the primary purpose for which it was obtained, or for a directly related secondary purpose or where it is used under lawful authority. Where it is impracticable to obtain consent, such as where a person lacks capacity to consent, HRIPA makes provision for an authorised representative to act on his or her behalf.92

Exemptions

3.81 Like the exemptions to PPIPA, there are four major sources of exemptions to HRIPA. They are:


    (a) exemptions within HRIPA;

    (b) exemptions effected by regulation;

    (c) exemptions in health privacy codes of practice made by the Minister of Health under HRIPA;

    (d) exemptions in health public interest directions made by the Privacy Commissioner under HRIPA.


3.82 Exemptions within HRIPA. There are many exemptions within HRIPA, which limit the seemingly wide ambit of the Act. Some are couched within the definitions of terms, others are stated specifically, still others are contained within the HPPs.

3.82 As explained in paragraph 3.13 above, the definition of “personal information” (of which “health information” is a particular type) is subject to a large number of exemptions in s 5(3), thereby limiting the ambit of “health information”. There are also exemptions that limit the general operation of the Act. For instance, s 13 provides that nothing in HRIPA affects the manner in which a court or tribunal exercises the court’s or tribunal’s judicial functions.

3.83 HPPs 1-4, 10, 11 and 14 are not applicable to the collection, use or disclosure of health information by a news medium, if the collection, use or disclosure is in connection with its news activities.93 Nor do HPPs 6-8 and Part 4 apply to health information held by a news medium in connection with its news activities.94

3.84 There are also blanket exemptions whereby HRIPA does not apply to various agencies or organisations. These include: the Independent Commission against Corruption, the Police Service, the Police Integrity Commission and the NSW Crime Commission, except in connection with the exercise of their administrative and educative functions.95

Other exemption mechanisms

3.85 As is the case under PPIPA, exemptions can also be effected by regulation, codes of practice or public interest directions by modifying the application of HPPs to particular projects across any number of public or private sector agencies. This may be required where the HPPs have to be balanced against other public interests.

3.86 There is currently only one regulation in force, namely the Health Records and Information Privacy Regulation 2006. This exempts organisations taking part in electronic health record pilot programs from the operation of HPP 15 dealing with the linkage of health records. This regulation also exempts Aboriginal Trust Funds Repayment Scheme agencies96 from the operation of various HPPs.97 Public sector agencies are also exempt from HPPs 10 and 11 in respect of disclosure of health information to an Aboriginal Trust Funds Repayment Scheme agency.

3.87 The Health Records and Information Privacy Code of Practice 2005 permits, in certain limited circumstances, the collection, use and disclosure of health information by human services agencies without the consent of the person to whom the health information relates.

3.88 Codes and regulations are drafted by Parliamentary Counsel, while directions made pursuant to s 62 are made by the Privacy Commissioner with the approval of the Minister for Health. Many such directions to modify the application of HPPs have been made but usually only operate for a specified period of time or until the completion of a particular project.98

Enforcement

3.89 As stated above, HRIPA covers both the New South Wales public sector agencies as well as the private sector, and as such, both sectors must comply with the 15 HPPs. The private sector must also comply with the additional principles applicable to private sector individuals and agencies in relation to keeping and giving access to health information. A breach of the HPPs or the additional principles will entitle an individual to make a complaint. However, the enforcement process for complaints will depend on whether the complaint is against a public sector agency or a private sector individual or organisation.

3.90 Complaints against a private sector person or agency. Part 6 of HRIPA deals with complaints against the private sector. Section 42 provides that a complaint may be made to the Privacy Commissioner by a private sector person about the alleged contravention of an HPP, a provision of Part 4 or a health privacy code of practice.99 A complaint must be made in writing within six months of the time when the complainant first became aware of the relevant conduct.100 On receipt of the complaint, the Privacy Commissioner may conduct a preliminary assessment of the complaint.101 The Privacy Commissioner may decide not to deal with the complaint if satisfied of one of a number of factors, including that the complaint is vexatious, trivial or exempted conduct.102 If the Privacy Commissioner is satisfied that there is a prima facie case of a breach of the Act, the Commissioner may:


    (a) endeavour to resolve the complaint by conciliation under s 46;

    (b) further investigate the complaint and make a report under s 47; or

    (c) determine that the complaint has been resolved to his or her satisfaction.103


The Commissioner’s findings and recommendations are not binding.

3.91 A complainant may apply to the ADT for an inquiry into the complaint, but only if the Privacy Commissioner has made a report pursuant to s 47.104 The ADT hears the complaint in its original jurisdiction; it does not have jurisdiction to review the Privacy Commissioner’s decision.105 The ADT can make legally binding orders including: an order requiring the respondent to pay the complainant damages not exceeding $40,000; an order requiring the respondent to refrain from any conduct or action in contravention of an HPP; or an order requiring performance of an HPP, a provision of Part 4 or a health privacy code of practice.106 An order or other decision made by the ADT may be appealed to an Appeal Panel of the ADT.107

3.92 Complaints against a public sector agency. The complaints process in relation to a public sector agency is governed by Part 5 of HRIPA. Thus, where a person is of the view that a public sector agency has breached an HPP, the person can seek an internal review. If the internal review is not completed within 60 days or the person is unhappy with the handling or the results of the internal review, the person can seek a review by the ADT. The ADT can make legally binding orders. If still dissatisfied, the person can appeal to an Appeal Panel of the ADT.

OTHER RELATED NEW SOUTH WALES LEGISLATION

3.93 In addition to PPIPA and HRIPA, the main privacy statutes in New South Wales, there are other statutes that deal with aspects of privacy:

    • The Workplace Surveillance Act 2005 (NSW) prohibits the surveillance by employers of their employees, except where the employer notified the employees about the surveillance, or where the employer has a covert surveillance authority granted by a Supreme Court judge. The forms of surveillance that are regulated by the Act are: camera surveillance; computer surveillance (including the sending and receipt of emails and the accessing of internet websites); and tracking surveillance (such as the use of a Global Positioning System tracking device).108
    • The Listening Devices Act 1994 (NSW) prohibits the use of a listening device to listen to or record a private conversation, unless such use falls within one of the exceptions specified by the Act, or is authorised by a warrant granted by a judge of the Supreme Court.
    • Bodily privacy is dealt with in the Crimes (Forensic Procedures) Act 2000 (NSW) in the context of DNA testing.
    • The Freedom of Information Act 1989 (NSW) gives every person a right to obtain information held as records by New South Wales government agencies, Ministers, local government and other public bodies. Like its federal counterpart, the Act grants access and amendment rights to an agency’s records or documents.109 The States Records Act 1998 (NSW) and the Local Government Act 1993 (NSW) also provide rights of access to New South Wales government records.110 The relationship between these three Acts and PPIPA is dealt with in Chapter 7.

FOOTNOTES

1. Privacy and Personal Information Protection Act 1998 (NSW), Long Title.

2. Privacy and Personal Information Protection Act 1998 (NSW) s 4A.

3. Privacy and Personal Information Protection Act 1998 (NSW) s 4(1). The wording is similar to the definition in the Privacy Act1988 (Cth). However, the main difference between the two definitions is that the New South Wales Act contains a list of exceptions. It excludes from the definition, among other things: information about an individual who has been dead over 30 years; information that is contained in a publicly available publication; and information arising out of various acts such as the Witness Protection Act 1995 (NSW): Privacy and Personal Information Protection Act 1998 (NSW) s 4(3).

4. Privacy and Personal Information Protection Act 1998 (NSW) s 129(a) and (b).

5. Privacy and Personal Information Protection Amendment (Prisoners) Act 2002 (NSW).

6. Health Records and Information Privacy Act 2002, Sch 3 contained these and other amendments to the Privacy and Personal Information Protection Act 1998 (NSW).

7. Privacy and Personal Information Protection (Transitional) Regulation 1999 (NSW).

8. Privacy and Personal Information Protection Regulation 2000 (NSW) exempts certain public sector agencies from the requirement to make a privacy management plan, exempts certain public registers from the provisions of Part 6 of PPIPA and exempts the Councils of the Law Society and the Bar Association from the operation of PPIPA.

9. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998 (Tabled 25 September 2007, Legislative Assembly).

10. Privacy and Personal Information Protection Act 1998 (NSW) s 4(2).

11. Privacy and Personal Information Protection Act 1998 (NSW) s 36(2)(k).

12. Privacy NSW, Consultation (29 June 2007).

13. Privacy NSW, Consultation (29 June 2007).

14. See para 5.7-5.50.

15. New South Wales, Parliamentary Debates, Legislative Council, 17 September 1998, 7599-7602 (the Hon J W Shaw).

16. Privacy NSW, Submission on the Review of thePrivacy and Personal Information Protection Act 1988 (24 June 2004), 72.

17. Privacy and Personal Information Protection Act 1998 (NSW) s 8-11.

18. Privacy and Personal Information Protection Act 1998 (NSW) s 8.

19. Privacy and Personal Information Protection Act 1998 (NSW) s 9.

20. Privacy and Personal Information Protection Act 1998 (NSW) s 10.

21. Privacy and Personal Information Protection Act 1998 (NSW) s 11.

22. Privacy and Personal Information Protection Act 1998 (NSW) s 12.

23. Privacy and Personal Information Protection Act 1998 (NSW) s 13.

24. Privacy and Personal Information Protection Act 1998 (NSW) s 14.

25. Privacy and Personal Information Protection Act 1998 (NSW) s 15.

26. Privacy and Personal Information Protection Act 1998 (NSW) s 16.

27. Privacy and Personal Information Protection Act 1998 (NSW) s 17.

28. Privacy and Personal Information Protection Act 1998 (NSW) s 18.

29. Privacy and Personal Information Protection Act 1998 (NSW) s 19.

30. Privacy and Personal Information Protection Act 1998 (NSW) s 22.

31. Privacy and Personal Information Protection Act 1998 (NSW) s 23.

32. Privacy and Personal Information Protection Act 1998 (NSW) s 3.

33. Privacy and Personal Information Protection Act 1998 (NSW) s 4(3). See para 3.13.

34. Privacy and Personal Information Protection Act 1998 (NSW) s 27.

35. Privacy and Personal Information Protection Act 1998 (NSW) s 28.

36. Privacy and Personal Information Protection Act 1998 (NSW) s 6.

37. Privacy and Personal Information Protection Regulation 2005 (NSW) cl 5.

38. Privacy and Personal Information Protection Regulation 2005 (NSW) cl 6.

39. Privacy and Personal Information Protection Regulation 2005 (NSW) cl 7.

40. Privacy and Personal Information Protection Act 1998 (NSW) s 29(1).

41. Privacy and Personal Information Protection Act 1998 (NSW) s 29(2).

42. Privacy and Personal Information Protection Act 1998 (NSW) s 41.

43. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998 (26 May 2004).

44. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [14.10].

45. Privacy and Personal Information Protection Act 1998 (NSW) s 45(2).

46. New South Wales, Parliamentary Debates, Legislative Council, 17 September 1998, 7599-7602 (the Hon J W Shaw).

47. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1988, 107.

48. Privacy and Personal Information Protection Act 1998 (NSW) s 54(3).

49. Privacy and Personal Information Protection Act 1998 (NSW) s 54(2).

50. Privacy and Personal Information Protection Act 1998 (NSW) s 53(3)(d).

51. Privacy and Personal Information Protection Act 1998 (NSW) s 53(7).

52. Privacy and Personal Information Protection Act 1998 (NSW) s 53(6).

53. Privacy and Personal Information Protection Act 1998 (NSW) s 55.

54. Privacy and Personal Information Protection Act 1998 (NSW) s 55(6) and (7).

55. Privacy and Personal Information Protection Act 1998 (NSW) s 55(4).

56. Privacy and Personal Information Protection Act 1998 (NSW) s 55(4A).

57. Privacy and Personal Information Protection Act 1998 (NSW) s 56.

58. Privacy and Personal Information Protection Act 1998 (NSW) s 36(2)(k).

59. Privacy and Personal Information Protection Act 1998 (NSW) s 36(2)(j).

60. Privacy and Personal Information Protection Act 1998 (NSW) s 46(3).

61. Privacy and Personal Information Protection Act 1998 (NSW) s 47.

62. Privacy and Personal Information Protection Act 1998 (NSW) s 51.

63. Privacy and Personal Information Protection Act 1998 (NSW) s 49(1).

64. Privacy and Personal Information Protection Act 1998 (NSW) s 48(1)(b).

65. Privacy and Personal Information Protection Act 1998 (NSW) s 49(2).

66. Privacy and Personal Information Protection Act 1998 (NSW) s 50(1).

67. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1988, 103.

68. New South Wales, Parliamentary Debates, Legislative Council, 11 June 2002, Second Reading Speech, 2958-2959 (Michael Egan).

69. The Act defines health information as personal information or an opinion about an individual’s physical or mental health or disability, an individual’s express wishes about the future provision of health services to him or her, or a health service provided to an individual. It also includes other personal information collected in providing a health service, or other personal information about an individual collected in connection with the donation of an individual’s body parts, organs or body substances. Further, it includes genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health of the individual or any of his or her siblings, relatives or descendants: Health Records and Information Privacy Act 2002 (NSW) s 6.

70. See Health Records and Information Privacy Act 2002 (NSW) Sch 1.

71. New South Wales, Parliamentary Debates, Legislative Council, 11 June 2002, Second Reading Speech, 2958-2959 (Michael Egan).

72. See discussion in Ch 4 and 5.

73. “Health information” “does not include health information, or a class of health information contained in a class of documents, that is prescribed as exempt health information for the purposes of [the] Act generally or for the purposes of specified provisions of [the] Act”.

74. Health Records and Information Privacy Act 2002 (NSW) s 4(1).

75. Health Records and Information Privacy Act 2002 (NSW) Part 4 Division 2.

76. Health Records and Information Privacy Act 2002 (NSW) Part 4 Division 3.

77. Health Records and Information Privacy Act 2002 (NSW) Part 4 Division 4.

78. See para 3.19.

79. HPP 1: Schedule 1(1).

80. HPP 2: Schedule 1(2).

81. HPP 4: Schedule 1(4).

82. HPP 3: Schedule 1(3).

83. HPP 5: Schedule 1(5).

84. HPP 6: Schedule 1(6).

85. HPP 7: Schedule 1(7).

86. HPP 8 Schedule 1(8).

87. HPP 9 Schedule 1(9).

88. Health Records and Information Privacy Act 2002 (NSW) sch 1(11)(1)(g).

89. The exceptional circumstances are listed in sch 1(14) (a)–(h).

90. HPP 15 sch 1(15).

91. Health Records and Information Privacy Act 2002 (NSW) sch 1 cl 4(4).

92. Health Records and Information Privacy Act 2002 (NSW) s 7 (2).

93. Health Records and Information Privacy Act 2002 (NSW) s 15(1). “News medium” is defined in s 4 to mean any organisation whose business, or principal business, consists of a news activity.

94. Health Records and Information Privacy Act 2002 (NSW) s 15(2).

95. See Ch 5 for an analysis of this distinction between functions that are and are not exempt.

96. These include the Department of Aboriginal Affairs, the State Records Authority or the Department of Premier and Cabinet.

97. HPPs 1-4 and 8-11.

98. There are currently three directions that are in force: Direction relating to the Anti-Social Behaviour Pilot Project; Direction on the Incidental Disclosure and the Transfer of Health Information belonging to the (SA) Commission of Inquiry into Children in State Care; and Direction relating to the Redfern Waterloo Partnership Project.

99. Health Records and Information Privacy Act 2002 (NSW) s 42(1).

100. Health Records and Information Privacy Act 2002 (NSW) s 42(2).

101. Health Records and Information Privacy Act 2002 (NSW) s 43(1).

102. Health Records and Information Privacy Act 2002 (NSW) s 43(2).

103. Health Records and Information Privacy Act 2002 (NSW) s 45.

104. Health Records and Information Privacy Act 2002 (NSW) s 48.

105. Health Records and Information Privacy Act 2002 (NSW) note to s 48. See Ch 7 for an analysis of the ADT’s jurisdiction in privacy matters.

106. Health Records and Information Privacy Act 2002 (NSW) s 54.

107. Health Records and Information Privacy Act 2002 (NSW) s 57.

108. Workplace Surveillance Act 2005 (NSW) s 3. There was some doubt as to the continuing operation of the Workplace Surveillance Act 2005(NSW) pursuant to s 16 of the Workplace Relations Act 1996 (Cth) which excluded the operation of State or Territory industrial laws, including an Act of a State or Territory that applies to employment generally and has one or more of its main purposes (among others) regulating workplace relations or providing for the terms and conditions of employment. The High Court upheld the validity of s 16 of the Workplace Relations Act 1996 (Cth): NSW v Commonwealth [2006] HCA 52. It must be noted that industrial relations is currently undergoing significant change with the passage of the Workplace Relations Amendment (Transition to Forward with Fairness) Act 2008 (Cth). However, the amendments do not appear to impact on s 16 of the Workplace Relations Act 1996 (Cth) and consequently, the doubt in terms of the operation of the Workplace Surveillance Act 2005 (NSW) remains unchanged.

109. See Freedom of Information Act 1989 (NSW) pt 3 (access to documents), pt 4 (amendment of records).

110. See States Records Act 1998 (NSW) pt 6 (public access to State records after 30 years); Local Government Act 1993 (NSW) pt 2 (access to information).



Previous Page | Back to Lawlink Home | Top of Page
  Last updated 29 July 2008   Crown Copyright ©  
Hosted by agd logo
Lawlink NSW