4. Achieving a clear and consistent legislative structure
Updates and background for this project (Digest)
INTRODUCTION
4.1 Without question, the effectiveness of privacy laws would be optimised through greater clarity and consistency, not only of content, but also of structure. Reducing legislative complexity would inevitably promote ease of understanding and compliance. This is particularly the case with the Privacy and Personal Information Protection Act 1998 (NSW) (“PPIPA”), which is structurally quite difficult to penetrate.
4.2 Issues of structure are often closely linked to those of scope. As noted in Chapter 5, the major differences between PPIPA and the Health Records and Information Privacy Act 2002 (NSW) (“HRIPA”) are that HRIPA is more narrowly focused than PPIPA in terms of the type of information it regulates, but is broader in its application to both the public and private sectors. These differences in scope account not only for the differences in structure between the two laws, but also help to explain the existence of two separate laws to regulate information privacy in NSW.
4.3 In this chapter, we examine the two main New South Wales privacy laws with a view to proposing structural changes aimed at achieving greater simplicity and harmony. We are also acutely conscious of the problems that arise due to the lack of consistency in privacy legislation at a national, as well as a State, level. Consequently, we have carefully considered the proposals made by the Australian Law Reform Commission (“ALRC”) in its current review of Commonwealth privacy laws,1 and the impact of those proposals on NSW.
4.4 The discussion in this chapter is designed to elicit views on the following key questions:
- Is the structural basis of PPIPA and HRIPA the most effective way of promoting the aims of each piece of legislation?
- Should New South Wales continue, under HRIPA, to regulate the privacy of health information handled by the private sector, given the ALRC’s proposal for such information to be regulated nationally?
- If HRIPA is restricted to the regulation of health information held by the public sector only, does the need for separate health privacy legislation in New South Wales persist?
CLARIFYING THE STRUCTURE OF NEW SOUTH WALES PRIVACY LAWS
4.5 During its introduction into New South Wales Parliament in 1998, PPIPA was described as promoting “the protection of privacy and the rights of the individual by the recognition, dissemination and enforcement of data protection principles consistent with international best practice standards”.2 The standards referred to date from the 1980 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.3 Those Guidelines form the basis of most Australian, and many overseas, information privacy laws.
4.6 As noted in Chapter 3, the regulatory centrepiece of both PPIPA and HRIPA is a series of principles setting out minimum standards for the protection of information privacy. Consequently, both pieces of legislation are generally referred to as being principles-based, rather than rules-based.4 The main difference between the two forms of regulation lies in the level of detail and proscription, with principles-based legislation focussing more on broad statements of outcomes rather than prohibition of specific conduct.5 These issues will be discussed in greater detail below.
The structure of PPIPA
4.7 PPIPA consists of eight parts and can broadly be divided into two areas of operation. The first involves the provisions setting out the responsibilities of public sector agencies when dealing with personal information as defined in the Act.6 The core of this area is the 12 Information Protection Principles (“IPPs”), which establish the minimum standards with which public sector agencies must comply when collecting, storing, handling or disseminating personal information. The IPPs are found in Part 2 of PPIPA.7 As noted in Chapter 3, they are modelled on, but not identical to, those in the Privacy Act 1988 (Cth), and apply only to the public sector, with the exception of State owned corporations.8 PPIPA provides for a number of exemptions from compliance with the IPPs.9
4.8 Public sector agencies must develop privacy management plans outlining how the IPPs that apply to their organisation are to be implemented. Agencies, or the Privacy Commissioner, may also develop codes of practice that can modify the application of the IPPs, or even provide exemptions. The codes must be approved by the Privacy Commissioner and are made by the Attorney General upon publication in the Government Gazette. The code and management plan provisions are contained in Part 3 of the Act.
4.9 Part 5 sets out the enforcement procedures that may apply where it is alleged that a public sector agency has breached the IPPs or a relevant code of practice, or has breached the provisions concerning public registers contained in Part 6.10 Complainants may seek redress by requiring the public sector agency concerned to conduct an internal review.11 If not satisfied with the outcome of the internal review, a complainant may apply to the Administrative Decisions Tribunal for a determination.12
4.10 The second area of operation relates to the more general role and functions of the Office of the Privacy Commissioner. The exercise of these functions is not restricted to the public sector or to personal information. Part 3 established the office of the Privacy Commissioner and sets out its educative and investigative functions, together with the role of the Commissioner in dealing with privacy-related complaints.13 This part of PPIPA operates broadly, since a complaint may be made in relation to any violation of individual privacy.14
4.11 Part 7 establishes the Privacy Advisory Committee, comprising the Privacy Commissioner and six members of New South Wales Parliament.15 The Committee’s functions are to advise on matters relevant to the Privacy Commissioner’s functions, including recommending material to be contained in guidelines issued by the Privacy Commissioner, and to advise the Attorney General on any matters referred to the Committee.16 Part 8 prescribes offences concerning corrupt disclosure and use of personal information by a public official,17 offering to supply unlawfully disclosed information,18 and other dealings with the Privacy Commissioner,19 as well as other miscellaneous provisions.
4.12 PPIPA also provides for exemptions from the requirement to comply with all or part of the Act. Exemptions may relate to certain types of information, particular agencies or classes of agencies, or specific functions of agencies. The exemptions may be expressly included in PPIPA itself,20 provided for in regulations21 or a code of practice made by the Attorney General,22 or included in a public interest direction made by the Privacy Commissioner.23
The structure of HRIPA
4.13 In contrast to the 12 IPPs in PPIPA, HRIPA contains 15 Health Privacy Principles (“HPPs”) that apply to public and private sector agencies and organisations that collect or handle health information.24 The HPPs are not located in the body of the Act itself, but in Schedule 1 to HRIPA. As well as regulating data collection,25 storage and security,26 and use and disclosure of information,27 the HPPs deal with accuracy,28 access to and alteration of data,29 the assignment of unique identifiers,30 anonymity,31 transborder data flows32 and linkage of health information.33 The circumstances in which compliance is not required are listed under each HPP.
4.14 Part 1 of the Act contains the definitions, while Part 2 describes the general operation of HRIPA, including specific exemptions for particular practices and agencies. HRIPA makes special provision for the application of the HPPs to the public sector in Part 3, and to the private sector in Part 4. Privacy codes of practice and procedures for complaints against private sector persons34 and organisations are provided for in Parts 5 and 6, respectively. Part 7 details the functions of the Privacy Commissioner, while miscellaneous provisions are located in Part 8.
Difficulties with the structure of PPIPA
4.15 A number of commentators have remarked on the labyrinthine structure of PPIPA. Indeed, the President of the New South Wales Administrative Decisions Tribunal observed that he had seen “nothing quite like the maze that the New South Wales Act presents”.35 One problem seems to be the lack of clarity that occurs due to the location of the IPPs within PPIPA. Unlike other comparable legislation, the IPPs are not sequentially numbered and located in a discrete part of the legislation, but included in the body of the Act and given section numbers. For example, rather than being referred to as IPP 1, the principle dealing with collection of personal information for lawful purposes is contained in s 8 of PPIPA.
4.16 Another matter of particular concern is the seemingly haphazard location of provisions that exempt agencies, or types of activities, from some or all of the operation of PPIPA. The exemption provisions are currently dispersed throughout the Act and may be contained in codes or regulations. This creates confusion for public sector agencies in terms of understanding their obligations under the legislation, and for members of the public who may be uncertain as to the extent to which their personal information is protected.36
4.17 The number of exemptions from the scope and coverage of PPIPA prompted the Australian Privacy Foundation to comment that “the law creates an illusion of privacy protection in some areas which is not delivered”.37 A recent statutory review of PPIPA undertaken by the New South Wales Attorney General’s Department noted that most commentators believe other examples of privacy legislation to be schematically clearer than PPIPA.38 Accordingly, the review recommended that PPIPA be restructured using HRIPA as a model.39 The review further recommended that the IPPs, together with the exemptions relevant to each, be located in a schedule to the Act, as in HRIPA.40 Privacy NSW has also expressed the view that PPIPA should be restructured to bring all Act-based exemptions and exceptions together in one Part or Schedule.41
Level of detail
4.18 As noted above, both PPIPA and HRIPA are essentially examples of principles-based legislation, in that they each have as their core a set of privacy principles that articulate desired outcomes for information protection. However, the principles do more than state outcomes. In particular, PPIPA and its IPPs are reasonably prescriptive.
4.19 Privacy NSW is of the opinion that PPIPA is an example of “principle-based legislation being applied in a legal system which is more familiar with applying legal rules”.42 It considers that the principles on which PPIPA is based are sound. However, the legislative mechanisms designed to achieve compliance can be too rigid. This has led to the insertion of wholesale exemptions for specific functions or for certain agencies.43 Privacy NSW believes HRIPA to be a better model in this regard, stating higher-level principles, with provision for the Privacy Commissioner to make statutory guidelines on detailed matters of compliance not suited to inclusion in legislation.44 Accordingly, Privacy NSW is of the view that PPIPA should be amended to distinguish more clearly between the core principles in the legislation, and the mechanisms by which those principles could be expected to be achieved.45
4.20 This view accords with that of the ALRC. In DP 72, the ALRC favoured the development of a set of Unified Privacy Principles (or “UPPs”) to be contained in the Privacy Act 1988 (Cth), which would apply across the public and private sectors. The ALRC argues that the move towards a single set of privacy principles would be more easily facilitated through legislation that is not overly prescriptive. Accordingly, the ALRC proposes that the UPPs should be drafted as high-level principles that are simple, clear and easy to understand and apply.46 Further, the ALRC proposes that those principles should be able to be modified by more detailed agency and sector-specific rules to be contained in the regulations.47
The Commission’s view
4.21 The regulation of the way in which personal information is handled by the New South Wales public sector, from collection through to disclosure, is a complex matter involving a diversity of contexts. As such, legislation that underpins that regulation must involve a degree of complexity. However, the Commission is of the view that PPIPA in particular is unnecessarily convoluted. It is extremely difficult to identify which agencies are covered by all or some of the IPPs, and which agencies and activities have complete or partial exemption from the coverage of PPIPA as a whole. Indeed, the number of exceptions and exemptions is such that, even when presented in tabular form, they run to several pages.48
4.22 Segregating the IPPs into a Schedule to the Act, followed by exceptions to each IPP, would increase the transparency of PPIPA. This would also bring PPIPA into line with other information privacy laws, such as HRIPA, the Information Privacy Act 2000 (Vic), and the Privacy Act 1988 (Cth). This would also accord with the ALRC’s proposal to consolidate the two sets of principles in the Privacy Act 1988 (Cth) into a single set of UPPs, and to clarify and group together the exemptions into a separate part of the Act.49
4.23 Similarly, there is an attraction in the proposal to pare down the IPPs to high level principles, leaving the detail of how to comply with the principles, and any agency or sector-specific provisions, to be dealt with in the regulations. This has the advantage of making the legislation clearer and as flexible as possible. Consistency of compliance may be aided by making the legislation as prescriptive as possible; however, the current state of confusion that seems to surround privacy laws, and PPIPA in particular, suggests that it is the complexity of the provisions that is undermining their effectiveness.
4.24 As noted by the ALRC in DP 72, the broad, national application of the proposed UPPs would be facilitated by being framed as high-level principles. We agree. We propose:
SHOULD PPIPA HAVE AN OBJECTS CLAUSE?
4.25 It has become fairly common practice for legislation to contain either an objects clause, or a statement of purpose, or both. An objects clause or a statement of purpose can operate as a “coathanger” on which the structure of the legislation hangs. It can also be a useful tool of statutory interpretation should questions of uncertainty or ambiguity arise.50 An objects clause may contain a broad statement of social aims to be derived from the legislation, whereas a statement of purpose may have a narrower focus of clarifying the legislative intent. In terms of privacy legislation, PPIPA is quite unusual in that it has neither, while HRIPA contains both.51
4.26 At the Commonwealth level, the Privacy Amendment (Private Sector) Act 2000 (Cth) contains an objects clause,52 but the Privacy Act 1988 (Cth) does not. In IP 31, the ALRC noted the absence of an objects clause in the latter Act, and asked if there were some benefit to be derived from the inclusion of such a clause.53 After receiving feedback on what should be included in an objects clause, the ALRC proposed in DP 72, that the Privacy Act 1988 (Cth) should contain the following statement of objects:
(a) implement Australia’s obligations at international law in relation to privacy;
(b) promote the protection of individual privacy;
(c) recognise that the right to privacy is not absolute and to provide a framework within which to balance the public interest in protecting the privacy of individuals with other public interests;
(d) establish a cause of action to protect the interests that individuals have in the personal sphere free from interference from others;
(e) promote the responsible and transparent handling of personal information by agencies and organisations;
(f) facilitate the growth and development of electronic commerce, nationally and internationally, while ensuring respect for the right to privacy; and
(g) provide the basis for nationally consistent regulation of privacy.54
The Commission’s view
4.27 The Commission holds the preliminary view that an objects clause and/or a statement of purpose would be a beneficial inclusion in PPIPA. It would act as an interpretative aid, and provide a structural focal point for the Act. The objects clause proposed by the ALRC serves as a helpful illustration of the types of matters that could be included in PPIPA. However, not all of those objects would be appropriate for State legislation that applies only to the public sector.
4.28 Perhaps the best example of an objects clause and a statement of purpose in privacy legislation directly comparable to PPIPA is that contained in the Information Privacy Act 2000 (Vic). The main purposes of the Information Privacy Act 2000 (Vic) are stated to be:
(a) to establish a regime for the responsible collection and handling of personal information in the Victorian public sector;
(b) to provide individuals with rights of access to information about them held by organisations, including information held by contracted service providers;
(c) to provide individuals with the right to require an organisation to correct information about them held by the organisation, including information held by contracted service providers;
(d) to provide remedies for interferences with the information privacy of an individual;
(e) to provide for the appointment of a Privacy Commissioner.55
4.29 In addition, the Victorian Information Privacy Act 2000 contains the following statement of objects:
(a) to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector;
(b) to promote awareness of responsible personal information handling practices in the public sector;
(c) to promote the responsible and transparent handling of personal information in the public sector.56
These objects also accord largely with those articulated in the Second Reading Speech that introduced PPIPA into New South Wales Parliament.57
4.30 We seek comment on whether or not PPIPA should contain an objects clause and/or statement of purpose, and, if so, how such a clause or statement should be framed.
ACHIEVING GREATER CONSISTENCY IN HEALTH INFORMATION
4.31 One issue that has generated significant debate in recent years is the regulation of health information privacy, and the problems caused by the lack of any nationally consistent approach. Consistency in this context has at least three dimensions, namely, consistency between: Commonwealth and State laws; legislation that applies to the public and private health care sectors; and laws that regulate the privacy of general, as well as health-specific, information. The latter is particularly important, given that a number of agencies and organisations hold both general and health information and must currently comply with different privacy principles for each.
4.32 At the Commonwealth level, health information is regulated under the general IPPs and NPPs (or National Privacy Principles) in the Privacy Act 1988 (Cth) that apply to the public and private sectors respectively. Other jurisdictions, such as New South Wales and Victoria, have health specific information privacy laws that apply to both the public and private sectors. This can lead health care providers in border regions, such as Albury-Wodonga, having to comply with as many as 36 similar, but not necessarily consistent, privacy principles under three different pieces of legislation.58
4.33 The National Health and Medical Research Council has documented the difficulties caused by the complex plethora of health privacy laws in a health care environment where public/private and Commonwealth/State distinctions are increasingly meaningless. The Council observes that confusion among health care providers over which regime applies is common. This can lead to clinical care and quality assurance being limited because of impaired access to health information, and significant research not being approved.59 The Council urged the Commonwealth to consider implementing a single, simplified, national health privacy regime to replace the existing regulation.60
4.34 The need for nationally consistent regulation of health information will be even more crucial with the advent of electronically linked information systems. Instead of separate patient files being held by public or private hospitals, general practitioners and medical specialists, there is a move towards national electronic files where patient health records could be shared by health care professionals. For example, the Commonwealth’s HealthConnect initiative proposes that electronic referrals could be sent from one health care provider to another, and patient information shared electronically between hospitals and aged care facilities.61 In NSW, a system called Healthelink, is currently being piloted in the Maitland region and in Greater Western Sydney for particular demographic groups.62
4.35 These measures will undoubtedly result in benefits in terms of service delivery and more streamlined procedures for both patients and health care practitioners. However, the privacy implications of health information being electronically stored, linked and shared, present enormous challenges. A number of initiatives, such as the draft National Health Privacy Code and the establishment of the National E-Health Transition Authority,63 have been underway for some time in order to help address these challenges.
4.36 The case for national consistency in the regulation of health information privacy is difficult to oppose.64 These matters are currently being consulted on extensively by the ALRC, and we will carefully consider the public feedback to their inquiry. In this section, we examine the impact on the structure of New South Wales privacy laws of the ALRC’s proposals aimed at achieving national consistency. In particular, we ask whether HRIPA should be restructured in terms of its private sector coverage and, if so, what implications this would hold for the regulation of health information held by public sector agencies.
Private sector coverage of health information under HRIPA
4.37 While national consistency in information privacy regulation as a whole is a worthy goal, it is the coverage of private sector organisations that represents the biggest area of overlap, inconsistency and controversy. Adherence to numerous provisions across different jurisdictions leads to added compliance burdens for business. Consumers and organisations may be confused as to their rights and responsibilities with regard to personal information. These concerns are particularly acute for private sector organisations that deal with health information, since this is the only area that is regulated by both Commonwealth and State privacy legislation.65
4.38 There have been a number of calls for the Commonwealth and States to synthesise their laws regarding health privacy.66 In 2003, the ALRC recommended, in its Report on the protection of human genetic information, that the Commonwealth and the States and Territories should attempt to harmonise information and health privacy legislation.67 In 2005, the Federal Privacy Commissioner noted the confusion caused by the proliferation of State health privacy laws. She recommended that the Commonwealth Government should remove any further ambiguity by amending s 3 of the Privacy Act 1988 (Cth) to provide that the Commonwealth intended to “cover the field” so far as regulation of information privacy in the private sector is concerned.68
4.39 The ALRC has taken up this recommendation in DP 72, proposing that the Privacy Act 1988 (Cth) be amended to preclude State and Territory laws that regulate the handling of personal information in the private sector.69 As far as New South Wales is concerned, this would have the effect of invalidating HRIPA to the extent that it applies to the private sector’s dealings with health information. The privacy of all information, including health information, dealt with by the private sector would be regulated federally under the UPPs.
The Commission’s view
4.40 If the ALRC’s proposals were to be implemented, New South Wales would have to amend HRIPA so that it no longer applied to private sector organisations.70 This would be highly beneficial for multi-disciplinary organisations, or those that operate across State jurisdictions, since they would only need to comply with one set of privacy principles. It would also make it easier for consumers to know which law regulates access to, and protection of, their health information.
4.41 NSW would - and should -continue to have a role in regulating health information held by State public sector agencies and private sector contractors that deal with those agencies.71 This is vital given the New South Wales Government’s role in the management and delivery of health care services in this State. Also, the ALRC acknowledges the importance of complaints handling at a local level, and proposes that State and Territory complaint agencies should be delegated the power to deal with complaints concerning alleged interferences with health information privacy by private sector organisations.72
4.42 At this preliminary stage, we support the ALRC’s proposal in this regard, given the benefits that would flow. Before making any final recommendation, however, we would like to obtain the views of consumers and businesses who would be affected by the proposal for New South Wales to hand over to the Commonwealth responsibility for health information protection in the private sector.
Should health information continue to be regulated separately?
4.43 When HRIPA was enacted in 2002, the privacy of health information was considered to raise issues of sufficient specificity to warrant separate legislative treatment. The Second Reading Speech made mention of the need to accommodate the “special needs arising in the management and use of health information”, and the need to balance consumer privacy with effective delivery of health care services.73 This followed a Ministerial Advisory Committee Report that recommended that separate health-specific legislation be introduced. The recommendation was largely based on the need for seamless regulation of information held by both the private and the public sectors, and because of the challenges posed by the foreshadowed national electronic linking of health records.74 There was a concern among the authors of the report that the legislative framework governing privacy at that time was inadequate to deal with what were seen as needs peculiar to health information.75
4.44 Victoria has also opted for health-specific information privacy legislation. When introducing the Health Records Act 2001 (Vic), the Minister for Health described health information as “arguably the most sensitive category of personal information that exists about an individual”. He also noted that the legislation recognised and responded to the “threat to privacy posed by the exponentially increasing capacity of modern technology” which was “nowhere more evident than in the case of health information”.76
4.45 On the other hand, health information is not subject to separate regulation at the Commonwealth level. The question of whether or not health information should be included under the general provisions of the Privacy Act 1988 (Cth) was hotly debated during the passage of the Privacy Amendment (Private Sector) Bill 2000.77 The House of Representatives Standing Committee on Legal and Constitutional Affairs noted that there were three principal arguments against including health information in the Bill:
- The health sector is so different from other sectors that the attempt to incorporate it within the general framework of the Bill was misguided.
- The regime established by the Bill would lead to the creation of inconsistent standards governing privacy rights in the public and private sectors.
- The access rights contained in the Bill enabling individuals to access their own health information were totally inadequate.78
4.46 Despite these arguments, the Committee concluded that health information should be included in the general Bill until such time when the health care sector could reach agreement on the harmonisation of privacy principles applicable to the public and private sectors.79
The ALRC’s position
4.47 The ALRC notes that, while the handling of health information gives rise to some unique issues, it is undesirable to have a separate set of principles or legislation dealing with health information privacy.80 This view is based on the need to avoid inconsistency between general and health-specific privacy regimes, and the fact that health information is held in a range of contexts, many of which have nothing to do with providing health care services.81 Many organisations hold a combination of general personal and health information, and should not, in the ALRC’s view, be required to comply with two sets of principles.82
4.48 Accordingly, the ALRC proposes that health information held by the public and private sectors should be regulated by the proposed UPPs. Further, the ALRC proposes that any amendments to the UPPs that may be necessary due to the unique nature of health information should be included in regulations made under the Privacy Act 1988 (Cth).83 Those regulations could be based on the draft National Health Privacy Code.84
The Commission’s view
4.49 If the proposal to hand over the regulation of private sector health information privacy were to be adopted, this would leave New South Wales with two main privacy statutes. Both would cover public sector entities only, but one would contain health-specific provisions.
4.50 At this stage, should that proposal be adopted, we favour merging PPIPA and HRIPA into a single piece of privacy legislation.85 We acknowledge that health information privacy does raise some issues of particular concern, but agree with the ALRC that those concerns can be accommodated through regulations or national codes, rather than through separate legislation. However, we have not reached a definite conclusion on the matter, and invite submissions on the topic.
ISSUE 4
If health information held by the private sector were to be regulated by the Privacy Act 1988 (Cth), should New South Wales continue to have two separate information privacy statutes?
ISSUE 5
What reasons would there be for the continued existence of the Health Records and Information Privacy Act 2002 (NSW) if it only regulated public sector agencies?
FOOTNOTES
1. See Australian Law Reform Commission, Review of Privacy (Issues Paper 31, 2006); and Australian Law Reform Commission, Review of Privacy (Discussion Paper 72, 2007).
2. NSW, Parliamentary Debates, Legislative Council, 17 September 1998, 7598-99 (the Hon J W Shaw).
3. See «www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html».
4. Although, in reality, both laws represent a hybrid position, containing a mix of principle and rule-based provisions.
5. For a discussion of the differences between principles-based and rules-based legislation, see ALRC DP 72, [15.21]-[15.40].
6. See Privacy and Personal Information Protection Act 1998 (NSW) s 4.
7. See Privacy and Personal Information Protection Act 1998 (NSW), pt 2, div 1, s 8-19.
8. See Ch 3 for a discussion of which public sector agencies are covered by the Privacy and Personal Information Protection Act 1998 (NSW).
9. The exemptions from the operation of all or part of the Privacy and Personal Information Protection Act 1998 (NSW) are discussed in more detail in Ch 3 and 5.
10. See Privacy and Personal Information Protection Act 1998 (NSW) s 52.
11. Privacy and Personal Information Protection Act 1998 (NSW) s 53.
12. Privacy and Personal Information Protection Act 1998 (NSW) s 55.
13. Privacy and Personal Information Protection Act 1998 (NSW) pt 4, div 2 and 3.
14. Privacy and Personal Information Protection Act 1998 (NSW) s 45(1).
15. Privacy and Personal Information Protection Act 1998 (NSW) s 60.
16. Privacy and Personal Information Protection Act 1998 (NSW) s 61.
17. Privacy and Personal Information Protection Act 1998 (NSW) s 62.
18. Privacy and Personal Information Protection Act 1998 (NSW) s 63.
19. Privacy and Personal Information Protection Act 1998 (NSW) s 68.
20. The exemptions are not located in one place, but appear throughout the legislation: see, for example, Privacy and Personal Information Protection Act 1998 (NSW) s 3, 4, 4A, 6, 20 and s 23-28, as well as exceptions to each IPP specified in s 8-19.
21. For example, the Privacy and Personal Information Protection Regulation 2005 (NSW).
22. Made under the Privacy and Personal Information Protection Act 1998 (NSW) pt 3, div 1.
23. Made under the Privacy and Personal Information Protection Act 1998 (NSW) s 41.
24. As defined in s 6 of the Health Records and Information Privacy Act 2002 (NSW).
25. HPP 1-4.
26. HPP 5.
27. HPP 10-11.
28. HPP 9.
29. HPP 6-8.
30. HPP 12.
31. HPP 13.
32. HPP 14.
33. HPP 15.
34. Note that the Health Records and Information Privacy Act 2002 (NSW) provides for complaints against public sector agencies to be dealt with under the procedures outlined in the Privacy and Personal Information Protection Act 1998 (NSW): see Health Records and Information Privacy Act 2002 (NSW) s 21.
35. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998 (26 May 2004), 5.
36. See, for example, New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998 (Tabled 25 September 2007, Legislative Assembly), [5.2].
37. See Australian Privacy Foundation, Submission to the New South Wales Attorney General’s Department’s Review of the Privacy and Personal Information Protection Act 1998 (2004), 2. For a discussion on the content of the exemption provisions, see Ch 3.
38. See, for example, New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [5.2]. In particular, see New South Wales Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998 (26 May 2004), 6; and Australian Privacy Foundation, Submission to the New South Wales Attorney General’s Department’s Review of the Privacy and Personal Information Protection Act 1998, 2.
39. See, for example, New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, Recommendation 2.
40. See, for example, New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, Recommendation 2 and [5.6]. The New South Wales Government supports that recommendation, but awaits the outcome of the reviews of privacy legislation being conducted by this Commission and the ALRC: see New South Wales Government, Response to the Report on the Statutory Review of the Privacy and Personal Information Protection Act 1998, 3.
41. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998 (24 June 2004), 43.
42. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998, 40.
43. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998, 8-9.
44. See Health Records and Information Privacy Act 2002 (NSW) s 64.
45. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998, 42.
46. ALRC DP 72, Proposal 15-1.
47. ALRC DP 72, Proposals 15-1 and 3-1.
48. See exemptions matrix at: www.lawlink.nsw.gov.au/lawlink/privacynsw/ll_pnsw.nsf/vwFiles/privacyessentials_04_2005.pdf/$file/privacyessentials_04_2005.pd». See also Chapter 5.
49. ALRC DP 72, Proposal 3-2.
50. See Interpretation Act 1987 (NSW) s 33.
51. Health Records and Information Privacy Act 2002 (NSW) s 3(1) and s 3(2). There is also an objects clause in the Health Records Act 2001 (Vic) s 6; and the Information Act 2002 (NT) s 3(1).
52. Privacy Amendment (Private Sector) Act 2000 (Cth) s 3.
53. ALRC IP 31, [3.15]-[3.21].
54. ALRC DP 72, Proposal 3-4.
55. Information Privacy Act 2000 (Vic) s 1.
56. Information Privacy Act 2000 (Vic) s 5.
57. See New South Wales, Parliamentary Debates, Legislative Council, 17 September 1998, 7598-99 (the Hon J W Shaw). See Ch 3 for more details of the objects of the Privacy and Personal Information Protection Act 1998 (NSW).
58. That is, the 10 NPPs in the Privacy Act 1988 (Cth), the 15 in the Health Records and Information Privacy Act 2002 (NSW), and the 11 in the Health Records Act 2001 (Vic).
59. National Health and Medical Research Council, Submission to the Review by the Federal Privacy Commissioner of the Private Sector Provisions of the Privacy Act 1988 (Cth) (10 December 2004), [4.1-4.2].
60. National Health and Medical Research Council, Submission to the Review by the Federal Privacy Commissioner of the Private Sector Provisions of the Privacy Act 1988 (Cth), Recommendation 1.
61. For more information, see «www.healthconnect.gov.au».
62. See «www.healthelink.nsw.gov.au» accessed at 22 May 2008.
63. The National E-Health Transition Authority is a not-for profit company jointly funded and established by the Commonwealth and State and Territory Governments to “develop better ways of electronically collecting and securely exchanging health information”: see «www.nehta.gov.au», accessed at 14 November 2007.
64 See Ch 1 at para 1.7-1.9
and Proposal 1.1.
65. At least in New South Wales, Victoria and the ACT.
66. See New South Wales Health, Submission (18 September 2006); and the Royal Australian College of General Practitioners New South Wales and ACT Faculty, Submission (7 July 2006).
67. Australian Law Reform Commission, Essentially Yours, (Report 96, 2003) vol 1, 251, Recommendation 7.1.
68. Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 45.
69. ALRC DP 72, Proposal 4-1.
70. See ALRC DP 72, Proposal 4-2. The ALRC notes that provisions exist in other State legislation, such as the Public Health Act 1991 (NSW) s 14, that require reporting of certain information for public health purposes, and believes that there are good reasons why these provisions should be preserved: see ALRC DP 72, [4.75]-[4.76].
71. See ALRC DP 72, Proposal 4-3.
72. ALRC DP 72, Proposals 45-3 and 56-1.
73. See New South Wales, Parliamentary Debates, Legislative Council, 11 June 2002, 2958 (Michael Egan).
74. New South Wales Ministerial Advisory Committee on Privacy and Health Information, Panacea or Placebo?, Report to the New South Wales Minister for Health (2000).
75. New South Wales Ministerial Advisory Committee on Privacy and Health Information, Panacea or Placebo? Report to the New South Wales Minister for Health, 22-24.
76. Victoria, Parliamentary Debates, Legislative Assembly, 23 November 2000, 1906 (John Thwaites).
77. See Australia, House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000), Ch 6.
78. Australia, House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000, [6.12].
79. Australia, House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000, [6.29]-[6.40].
80. ALRC DP 72, [56.73]-[56.74].
81. See, for example, AW v Vice Chancellor, University of Newcastle [2008] NSWADT 86 in which health information (the applicant’s HIV status) was held by the university in the context of the applicant’s complaint to the university of discrimination and harassment (the information having been provided by the applicant to support his allegations).
82. ALRC DP 72, [56.77]-[56.78].
83. ALRC DP 72, Proposal 56-2.
84. ALRC DP 72, [56.83].
85. We propose that that legislation should be modelled on the Health Records and Information Privacy Act 2002 (NSW) structure.
