5. Scope of privacy protection

Updates and background for this project (Digest)

• Introduction
• Should the scope of PPIPA and HRIPA be expanded by reducing or limiting exemptions?
• Should other aspects of privacy be expressly protected in PPIPA?
• A general cause of action for invasion of privacy?

INTRODUCTION

5.1 Chapter 3 described the protection of privacy that the Privacy and Personal Information Protection Act 1998 (NSW) (“PPIPA”) and the Health Records and Information Privacy Act 2002 (NSW) (“HRIPA”) afford to individuals whose information is collected, held, used and disclosed by public sector agencies and private sector persons.

5.2 This chapter considers whether the scope of PPIPA and/or HRIPA can or should be extended:

• by limiting the numerous exemptions in the legislation, particularly exemptions to the definition of “personal information”; and/or
• by giving express protection to areas, subject matters or activities beyond information privacy.

SHOULD THE SCOPE OF PPIPA AND HRIPA BE EXPANDED BY REDUCING OR LIMITING EXEMPTIONS?

Background

5.4 The scope of the legislation, and the application of PPIPA’s Information Protection Principles (“IPPs”) and HRIPA’s Health Privacy Principles (“HPPs”), is curtailed by the number of exemptions - from the definition of “personal information”; of specific functions; or of specific agencies.¹ As Chapter 4 put forward, there are arguably too many exemptions, both in terms of restricting the extent of protection given to the public and in terms of the public’s ability to make sense of the legislation. The complexity of the legislation created by the number of exceptions also engenders challenges to the way the legislation is applied, which consume time, money and energy. Individual’s are forced to seek internal review of conduct or a decision that has exempted their personal information from the safeguards of the IPPs, with binding findings and enforceable remedies only available on subsequent application to the Administrative Decisions Tribunal (“ADT”).

5.5 The paragraphs below single out some of the exemptions that have been the subject of criticism and examine whether any of these can be omitted or limited. Most fall into the category of exemptions to the definition of “personal information”.

5.6 The issues raised by the Commission should be considered in the context of PPIPA and HRIPA being beneficial statutes that, subject to the identified purposes of the statutes, “should be interpreted broadly so that people can obtain the maximum benefit from the rights they are afforded”.² In general, legislation affecting privacy rights should be interpreted so as to allow minimal exceptions to the general rules that protect an individual’s privacy.³

Personal information – PPIPA s 4; HRIPA s 5

5.7 Both s 4 of PPIPA and s 5 of HRIPA define “personal information” as meaning “information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”. Standing alone, this is a relatively straightforward and broad definition. However, each section then goes on to provide, in sub-section (3), that “personal information does not include the following”, thereafter listing 12 exceptions to the definition in the case of PPIPA and 15 exceptions in the case of HRIPA.⁴

5.8 The ADT has commented (in reference to PPIPA) that the broad definition of “personal information” is cut back in “quite significant and detrimental ways”.⁵ The NSW Ombudsman has also observed that PPIPA’s 12 separate exceptions “result in an overly complicated definition which is a barrier to effective understanding and implementation of the Act”.⁶

5.9 Privacy NSW has argued that it would be preferable to provide exemptions from specific IPPs, rather than taking certain categories of personal information outside the scope of the legislation altogether.⁷ This is an approach that could equally be adopted in relation to specific functions and agencies exempted by PPIPA and HRIPA. Rather than blanket exemption from the IPPs and HPPs, the legislation could identify just those IPPs and HPPs whose application may genuinely interfere with an agency’s legitimate functioning and purposes.

5.10 Privacy NSW has also pointed out that many exemptions from the definition of “personal information”, particularly those applying to information about protected witnesses, adoption information and information obtained through telephone interceptions, “relate to matters that would otherwise be subject to tough sanctions for corrupt disclosure”.⁸

Publicly available information - PPIPA s 4(3)(b); generally available information - HRIPA s 5(3)(b)

5.11 PPIPA provides that information about an individual that is contained in a publicly available publication is excepted from the definition of “personal information”. HRIPA provides that information about an individual that is contained in a generally available publication is excepted from the definition of “personal information”. Neither Act specifically defines these phrases. PPIPA provides that a regulation can declare a publication or document not to be a “publicly available document” for the purposes of that Act.⁹ The effect of s 4(3)(b) of PPIPA and s 5(3)(b) of HRIPA is that public sector agencies can collect and use information from published sources without having to comply with restrictions imposed by the IPPs, although the annotated guide to PPIPA states that “there must be some provable nexus between the information in the publication and the issue at the time of the conduct.”¹⁰

5.12 Privacy NSW has argued that the absence of a clear definition in PPIPA of “publicly available publication” has caused confusion and disagreement about the application and scope of the exception.¹¹ It is concerned that the exception is both unclear and too wide, effectively undermining the object of PPIPA.¹² Furthermore, it “places much of people’s information at risk of misuse without penalty”.¹³ Privacy NSW submits that the drafting of s 4(3) allows information collected from a publicly available publication “to be used or disclosed in ways that would be considered corrupt and be subject to the criminal offence provisions of the Act, were it not for the exemption”.¹⁴ Combined with the exemption in s 28(3) for disclosures to an agency’s minister or the Premier, Privacy NSW has submitted that s 4(3)(b) “allows ‘information laundering’ to occur”.¹⁵

5.13 Submissions to the Attorney General’s Department’s statutory review of PPIPA were concerned that “publicly available information” means “information in the public domain”, which would include information published on the Internet.¹⁶ If that information is inaccurate, or taken out of context, the person to whom the information relates loses important privacy protections. For example, an address published on the Internet may be obscurely placed and/or published with the expectation of very limited readership (such as a family biography/reunion site). If it is “collected” by an agency it could be highlighted and given a different context.

5.14 This risk arises in relation to all publicly available information. If it is put to a use that places the information in a different context it may give rise to inferences that did not otherwise arise, or emphasise or bring attention to it in a way that would not otherwise have occurred. The ADT Appeal Panel gives the example of the information conveyed by a name and address in a telephone directory compared with the information conveyed if that name and address is held in the file of a child protection agency.¹⁷ Privacy NSW notes that in 2002-2003, 22% of all internal review cases involved alleged misuse of personal contact details.¹⁸ The exemption had in many cases been used to justify disclosure of a complainant’s identity to a third party on the basis that the information was published in a telephone directory. Privacy NSW gives a further example of the former Special Branch of the NSW Police creating dossiers on individuals from publicly available sources such as press clippings.

5.15 Taking out of a person’s control the choice of when, where and to whom he or she discloses personal information has serious privacy implications and calls for proper justification and strict safeguards. As Privacy NSW has said, “context is everything”.¹⁹

5.16 The ADT Appeal Panel has signalled that particularly convincing or compelling evidence will be required before it finds that something is from a publicly available publication, resulting in the individual named being unable to “access the important human rights protections conferred by [PPIPA]”.²⁰

5.17 The statutory review of PPIPA concluded that:

If agencies continue to apply the exemption sensibly and in the spirit of the Act, so as to apply the IPPs and protect the privacy of individuals, then no action is required. If agencies begin to make unreasonable claims about the nature of the information they manage, then the exemption should be reviewed.²¹

5.19 The Privacy Commissioner has suggested that it would be preferable to remove the general exemption and instead exempt publicly available information only from IPP 2, which provides that information can only be collected from the person concerned, unless that person has consented to third party collection.²² The Commission sees merit in that proposal and is interested to receive submissions on it.

5.20 The ADT has also expressed a concern that the exception is too wide.²³ For example, agencies have indicated to the ADT that documents used for internal management purposes but not restricted and therefore, strictly speaking, “publicly available”, are covered by the exception.²⁴ In the ADT’s view, “publicly available information” should not be exempted generally, but only from the collection IPPs, as in the Privacy Act 1988 (Cth).²⁵

5.21 Whether the above analysis and submissions in relation to “publicly available” information are equally applicable to “generally available” information is uncertain. It can be argued that the meaning of “generally available” is narrower than the meaning of “publicly available”, as one might expect where the information relates to an individual’s health. Whether the terms ought to be distinguished in this way is a further issue. The Commission would like to receive submissions on the point.

Interaction of s 4(3)(e), (i) and (ja) with s 20(5) of PPIPA; interaction of s 5(3)(h) and (l) with s 22(3) of HRIPA

5.22 Sections 4(3)(e) and (i) of PPIPA are mirrored in s 5(3)(h) and (l) of HRIPA, and s 20(5) of PPIPA is mirrored in s 22(3) of HRIPA. For ease of reading, the following discussion focuses on PPIPA but the comments are equally applicable to the provisions of HRIPA. There is, however, no equivalent provision in HRIPA of s 4(3)(ja) of PPIPA (adoption information).

5.23 Protected disclosures – PPIPA s 4 (3)(e); HRIPA s 5(3)(h). Section 4(3)(e) excludes from the definition of “personal information” information contained in a “protected disclosure” within the meaning of the Protected Disclosures Act 1994 (NSW), or collected in the course of an investigation arising out of a protected disclosure. A “protected disclosure” is one made by a public official to an investigating authority,²⁶ for the purpose of uncovering corrupt conduct, maladministration or serious and substantial waste in the public sector.²⁷

5.24 The NSW Ombudsman argues that the exemption is unnecessary because of the provisions of s 20(5) of PPIPA and cl 20(1)(d) of Schedule 1 to the Freedom of Information Act 1989 (NSW) (“FOI Act”). Clause 20(1)(d) of Schedule 1 to the FOI Act exempts documents from the operation of that Act that contain matter relating to a protected disclosure. The effect of s 20(5) in this context is (presumably) to ensure that provisions of the FOI Act that exempt information from the application of IPPs 6, 7 and 8 (s 13, 14 and 15) apply, unaffected by PPIPA.²⁸

5.25 However, this interpretation of s 20(5) is based on an assumption that the exemption in cl 20(1)(d) of Schedule 1 to the FOI Act can be classified as a “condition” or “limitation” so as to come within the ambit of s 20(5).²⁹ This assumption may not be correct. The Crown Solicitor’s Office, New South Wales (“Crown Solicitor”), commenting that s 20(5) is “not an easy provision to construe”, has observed that “[t]he difficulty lies in identifying the provisions of the FOI Act that impose ‘conditions or limitations (however expressed)’ with respect to any ‘matter’ referred to in ss 13, 14 or 15".³⁰

5.26 Given that the wording of s 20(5) of PPIPA is not easy to decipher, and arguably ambiguous,³¹ it may be imprudent to do away with the exemption in s 4(3)(e) in reliance on such an unclear provision. The protected disclosure exemption is a valid one as there is legitimate public interest in allowing a public official to disclose information to an investigating authority in the knowledge that that information will be exempt not only from IPPs 6, 7 and 8 but from other relevant IPPs.

5.27 However, whether the disclosure should be exempt from all the IPPs needs individual consideration. For example, it is perhaps not justified to exempt the disclosure from IPP 1, which provides that an agency must not collect personal information other than for a lawful purpose by lawful means. Similarly, should the disclosure be exempt from: IPP 5 (retention of information for no longer than is necessary; secure keeping and disposal); IPP 9 (checking accuracy of information before use); or IPP 10 (use of information for the purpose for which it was collected, or a directly related purpose)?

5.28 Restricted documents – PPIPA s 4(3)(i); HRIPA s 5(3)(l). The NSW Ombudsman raises a similar argument with respect to the exception in s 4(3)(i), again submitting that it is unnecessary because of s 20(5) of PPIPA.³² Section 4(3)(i) excepts information contained in “restricted documents”, namely Cabinet and Executive Council documents, as referred to in cl 1 and 2 respectively of Schedule 1 to the FOI Act.

5.29 Adoption information – PPIPA s 4(3)(ja). Section 4(3)(ja) excepts adoption information obtained under the Adoption Act 2000 (NSW) from the definition of “personal information”. Clause 20(1)(c) of Schedule 1 to the FOI Act exempts from the operation of that Act “matter relating to the receipt of an amended or original birth certificate or of prescribed information under the Adoption Act 2000”. The NSW Ombudsman argues that s 4(3)(ja) is unnecessary by reason of s 20(5) of PPIPA and cl 20(1)(c) of Schedule 1 to the FOI Act, providing a “suitable amendment” is made to that clause.³³ The Ombudsman does not identify what that amendment should be.

Complaints made about police – PPIPA s 4(3)(h); HRIPA s 5(3)(k)

5.30 Section 4(3)(h) of PPIPA and s 5(3)(k) of HRIPA exclude from the definition of “personal information” information about an individual arising out of a complaint made under Part 8A of the Police Act 1990 (NSW) (Complaints about conduct of police officers).

5.31 The ADT Appeal Panel has accepted the desirability of setting limits on the scope of the exemption, stating, in relation to PPIPA, that s 4(3)(h) would not protect information that had an “indeterminate” or “tenuous” relationship – and, even more so, no relationship at all – with the investigation.³⁴

5.32 NSW Police argue that the exemption is needed, and that “arising out of” should not be interpreted so narrowly as only to exempt information that is relevant. Otherwise, the Police argue, they will be hindered in investigating and preventing police corruption because of the difficulty in determining whether a piece of information is going to be relevant or not.³⁵

5.33 The review of PPIPA has observed that the phrase “arising out of” has made the exception “extremely difficult to define” and has in fact allowed its scope to be extended beyond that intended by Parliament.³⁶ It is critical that the provision impels a forensic exercise of tracing back the origins of the information, rather than considering the information in the context of its collection, use or disclosure. The review advocates identifying those IPPs that it is appropriate to exclude, and allowing the remainder to apply.

5.34 The NSW Ombudsman has argued that it would be unnecessary to have the exception in s 4(3)(h) of PPIPA if the Ombudsman was included in s 27.³⁷ Section 27 provides that the Independent Commission Against Corruption, the Police Integrity Commission, their respective Inspectors and Inspectors’ staff, the NSW Police Force and the NSW Crime Commission are not required to comply with the IPPs. The equivalent provision is contained in s 17 of HRIPA. This argument applies equally to s 4(3)(c), (d) and (f) of PPIPA and s 5(3)(f), (g) and (i) of HRIPA. These sub-sections except from the definition of “personal information” information about an individual arising out of: covert surveillance; a law enforcement operation; and information about a witness in a witness protection program.

Suitability for appointment or employment as public sector official - PPIPA s 4(3)(j); HRIPA s 5(3)(m)

5.35 Pursuant to s 4(3)(j) of PPIPA and s 5(3)(m) of HRIPA, information or opinion about an individual’s suitability for appointment or employment as a public sector official is excepted from the definition of personal information. Privacy NSW has raised a concern that s 4(3)(j) of PPIPA is being interpreted too broadly and exceeds Parliament’s intention.³⁸ While Privacy NSW backs up this view with statistics of complaints made by employees against public sector agencies, the Attorney General’s Department, on the other hand, argues that “there is no substantive case law to indicate that the exemption is working in a way different from that which parliament intended”.³⁹

5.36 Parliamentary debates on the Privacy and Personal Information Bill cast some doubt on whether Parliament envisaged the extent to which the exemption might be applied to information beyond the recruitment process, or even whether it might apply at all following appointment to, or employment in, a position. During debate in committee on an Opposition proposal to omit s 4(3)(j) (cl 4(3)(i) of the Privacy and Personal Information Bill, the Hon J P Hannaford commented:

Effectively that means people wanting to obtain personal information about themselves in relation to possible employment will not be able to obtain it.⁴⁰

it is not particularly easy to formulate such a code that might not prevent sensitive information being given to a prospective employer where that information would be highly relevant to the employability of a particular person.⁴²

if the amendment is agreed to, a department would not be able to tell another department of problems with a job applicant. It is common for an applicant to obtain a reference from the present supervisor for a job application to another department but this proposal would make that impossible.⁴³

5.40 However, Y v Director General, Department of Education has established that s 4(3)(j) does not only refer to information that was collected in the course of a selection process.⁴⁵ It can be used to exempt information relating to an employee after he or she has been appointed or employed, which gives the provision a potentially extensive application. Even within “the routine personnel context (that of recruitment, promotion, discipline and involuntary retirement)”,⁴⁶ there is still the potential for significant exclusion. Furthermore, unusual cases outside this context are possible.⁴⁷ This potentially conflicts with the purposive approach that is to be applied to any interpretation of PPIPA’s provisions. Given that the purpose of PPIPA is expressed in wide-ranging terms,⁴⁸ and the legislation is beneficial legislation, any exclusion should be interpreted narrowly. However, if the natural and ordinary meaning of the phrase legitimately allows an extended application of the exemption, agencies are entitled to rely on this.

5.41 In PN v Department of Education and Training,⁴⁹ although the complainant’s complaint against the Department for failing to apply certain IPPs to her personal information was upheld, the case highlights the scope for exempting a great deal of personal information pursuant to s 4(3)(j). An agency could conceivably mount an argument for almost every piece of information, as well as opinion,⁵⁰ it collects or receives pertaining to one of its employees. In PN v Department of Education and Training, for example, the Department contended that all relevant information that it collected, used or disclosed was information “touching upon” the issue of PN’s employment with the Department, and was thus excluded from application of the IPPs.

5.42 Even if a decision by an agency to exempt material is successfully challenged, in the meantime, the complainant has been put through, at best, inconvenience, and, at worst, harm to career, reputation and emotional well-being. PN v Department of Education and Training is a case in point. The complainant was successful but endured a lengthy, and costly, process of adjudication, including an internal review by the Department, a hearing by the ADT, an appeal to the ADT Appeal Panel and remittance to the ADT for further determination when the appeal was dismissed.⁵¹

5.43 The ambiguity of the phrase “suitability for appointment or employment” and the latitude for variations in application is implicitly acknowledged in the fact that the ADT has said that whether or not information will be exempt under s 4(3)(j) “is to be determined by consideration of both the content and the context of the information”.⁵²

5.44 The Commission would be interested to receive feedback on whether s 4(3)(j) of PPIPA and s 5(3)(m) should be amended either:

• to restrict, in clear terms, its application to information relating to recruitment of an employee; or
• to clarify that it can apply to information about an employee’s suitability for employment in his or her current position with the relevant agency.

Do photographs and video images constitute “personal information”?

5.46 In SW v Forests NSW, the ADT held that digital photographs of SW that had been copied onto a compact disc comprised personal information about SW.⁵⁴ The Tribunal relied on a statement in Vice-Chancellor, Macquarie University v FM that the ordinary meaning of the words “possession or control” “connotes some form of physical object upon which or within which an information or opinion is recorded”.⁵⁵ However, the Crown Solicitor has raised a concern that, “while visual images could, depending on whether an individual’s identity is apparent or can reasonably be identified from the image”, fall within the definition of “personal information”, it is conceptually difficult to apply a number of the IPPs to images, in particular the collection IPPs 2 and 3 (PPIPA s 9 and 10).⁵⁶

5.47 Arguably, Parliament may not have intended that the definition of “personal information” would cover visual images in photographs or videos. While the wording of s 4 may appear wide enough on its face to encompass information contained in recorded images, the context of Pt 2 Division 1, in prescribing how information must be dealt with, suggests that Parliament intended that only information that “can be collected directly from, and provided by, an individual in the ordinary sense (either by some form of communication or by the giving of bodily samples)” be covered. This would not include video records or photographs taken by an agency.⁵⁷

Meaning of the phrase “or can reasonably be ascertained from the information or opinion”

5.48 The Crown Solicitor has noted that the meaning of “or can reasonably be ascertained from the information or opinion” in s 4(1) of PPIPA and s 5(1) of HRIPA is ambiguous.⁵⁸ On one view, it could be interpreted expansively to permit “constructive identification”. That is, the identity of an individual might not be apparent from the original information but when it is combined with extrinsic information the identity becomes apparent. The problem with this construction, the Crown Solicitor argues, is that it gives rise to uncertainty as to the point at which identity of the individual ceases to become “reasonably ascertainable”.⁵⁹ It may also be inconsistent with the requirement that the individual identity “can reasonably be ascertained from the information or opinion”.

5.49 In Police Force of Western Australia v Ayton, the Court considered the phrase in the context of FOI legislation and held that the definition does not exclude the possibility that identity can be ascertained by reference to extrinsic material.⁶⁰ But the nature of the extrinsic material is central: if it is known to a significant community of people or easily accessible to ordinary members of the public, identification from a combination of sources may still be classified as having been reasonably ascertained from the original information in question. It could not be so classified if the extrinsic information comes from “some obscure and lengthy process of cross-referencing and deduction from other materials”.⁶¹

5.50 The Department of Health is of the view that ascertaining someone’s identity from information or opinion is so dependent on the circumstances that attempting to clarify the meaning further in legislation would not be helpful.⁶² At most, it suggests formulating broad guidelines that an agency can apply to a specific context.

Issues arising out of the exceptions to “personal information”

ISSUE 6

(a) Should “publicly available information” under the Privacy and Personal Information Protection Act 1998 (NSW) and “generally available information” under the Health Records and Information Privacy Act 2002 (NSW) be exempted altogether from the definition of “personal information” in those Acts?

(b) Should IPP 2 and HPP 2 alone apply to “publicly available information” and “generally available information”, but not other IPPs and HPPs?

ISSUE 7

(a) Is the meaning of “publicly available information” the same as “generally available information”? Is it appropriate that they have different meanings in the context of general information and health information?

(b) If two different phrases are to remain, should the definitions of “publicly available information” and “generally available information” be clarified in the legislation?

ISSUE 8

(a) Should the exemptions in any or all of the following provisions remain or are they made unnecessary by s 20(5) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 22(3) of the Health Records and Information Privacy Act 2002 (NSW) and Schedule 1 to the Freedom of Information Act 1989 (NSW):

• s 4(3)(e)of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(h) of the Health Records and Information Privacy Act 2002 (NSW);
• s 4(3)(i) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(l) of the Health Records and Information Privacy Act 2002 (NSW); and/or
• s 4(3)(ja) of the Privacy and Personal Information Protection Act 1998 (NSW)?
(b) If any or all of the exemptions are to remain, should the information referred to in each provision be exempt from all the IPPs and HPPs or only some of them? Which, if any, IPPs and HPPs should apply to the information?

(c) If the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) are merged into one Act, how should the exemptions be worded if they are retained?

ISSUE 9

What is the rationale behind, and value of, the exception contained in s 4(3)(h) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(k) of the Health Records and Information Privacy Act 2002 (NSW) (information arising out of a complaint about conduct of police officers)?

ISSUE 10

Should a person who has made a complaint about police conduct be precluded from having access to their personal file in relation to the complaint process?

ISSUE 11

Should the police officer who is the subject of a complaint be able to access the information relating to the complaint?

ISSUE 12

Should some IPPs and HPPs but not others apply to information about an individual arising out of a complaint made under Part 8A of the Police Act 1990 (NSW)? If so, which ones should apply?

ISSUE 13

(a) Should the NSW Ombudsman be included among those agencies listed in s 27 of the Privacy and Personal Information Protection Act 1998 (NSW) and s 17 of the Health Records and Information Privacy Act 2002 (NSW) as being exempt from compliance with the IPPs?

(b) Even if the answer to this is “yes”, should the information referred to in s 4(3)(c), (d), (f) and (h) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(f), (g), (i) and (k) of the Health Records and Information Privacy Act 2002 (NSW) continue to be exempt from the definition of “personal information”?

ISSUE 14

Should the legislation continue to exempt from the definition of “personal information” information about an individual’s suitability for appointment or employment as a public sector official?

ISSUE 15

Should the exemption from the definition of “personal information” of information about an individual’s suitability for appointment or employment as a public sector official be restricted to information about a prospective employee, or also apply to information about an agency’s current employee?

ISSUE 16

Do s 4(3)(j) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(m) of the Health Records and Information Privacy Act 2002 (NSW) need amending to clarify their meaning and Parliament’s intention?

ISSUE 17

Should s 4(3)(j) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(m) of the Health Records and Information Privacy Act 2002 (NSW) be reworded to provide that they apply only to information that directly relates to suitability for recruitment, promotion, discipline and involuntary retirement?

ISSUE 18

(a) Should information contained in photographs or video images come within the definition of “personal information”?

(b) Should this depend on whether an individual’s identity is apparent or can reasonably be identified from the visual image?

(c) If the definition of “personal information” should include visual images, should this be clarified in the legislation?

(d) Should some of the IPPs, but not others, apply to visual images that contain personal information? If so, which ones should apply?

ISSUE 19

(a) Should the meaning of the phrase “or can reasonably be ascertained from the information or opinion” in s 4(1) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(1) of the Health Records and Information Privacy Act 2002 (NSW) be clarified?

(b) If so, should this be by an amendment to the legislation or should it be left to judicial construction or the publication of a Privacy Guideline?

5.51 Sections s 3(1)(b) of PPIPA and s 4(1) of HRIPA provide that “public sector agency” includes “a statutory body representing the Crown”. The Crown Solicitor has suggested that, since the decision in McNamara v Consumer Trader and Tenancy Tribunal (“McNamara”),⁶³ it is arguable that “a statutory body representing the Crown” is limited to those bodies that are expressly described in other Acts as such or declared to be “a NSW Government agency”.⁶⁴ If, then, a body established for a public purpose by or under legislation falls outside s 3(1)(b), and cannot be described as any of the entities covered by sub-sections (a), (c), (e), (f) or (g), the Crown Solicitor argues that it is difficult to ascertain whether that body is intended to be a public sector agency. This is because the only sub-section left, sub-section (d), is difficult to apply as it requires complicated analysis of the auditing requirements of the Public Finance and Audit Act 1983 (NSW).⁶⁵

5.52 The Commission queries whether the decision in McNamara extends to support this argument. In McNamara, the Roads and Traffic Authority sought to claim the immunity conferred on the Crown in s 5 of the Landlord and Tenant (Amendment) Act 1948 (NSW) by virtue of being “a statutory body representing the Crown”. The High Court held that defining an agency in an Act as “a statutory body representing the Crown” did not automatically entitle that agency to the privileges and immunities of the Crown.⁶⁶ Crown immunity would need to be expressly given by the statute, or the statute could expressly define “Crown” so as to include “any statutory body representing the Crown”.⁶⁷ Even so, it is arguable that, irrespective of McNamara, a “statutory body representing the Crown” would need to be declared as such by the statute creating its existence.

5.53 The Commission is also not convinced of the difficulty in establishing whether a person’s or body’s accounts are part of the accounts prepared under the Public Finance and Audit Act 1983 (NSW), or whether they are required to be audited by the Auditor-General.

5.54 Nevertheless, the Commission sees merit in clarifying the status under PPIPA and HRIPA of bodies established for a public purpose but not expressly described in legislation as such or declared to be “a NSW Government agency”. The Crown Solicitor has suggested that the definition in s 3(1)(b) of PPIPA and s 4(1) of HRIPA of a “public sector agency” as a “statutory body representing the Crown” should be defined either as “a body established or appointed for a public purpose by or under a NSW enactment” or, alternatively, “any public authority constituted by or under an Act”.

5.55 The NSW Department of Health has pointed out that neither of these definitions may cover affiliated health organisations.⁶⁸ These are private benevolent organisations that receive 100% of their funding from the government, such as St Vincent’s Hospital in Sydney and the Royal Flying Doctor Service.⁶⁹ They are significant service providers and record-keepers in the health sector and ought to be brought unambiguously within the scope of HRIPA.

ISSUE 20

Should s 3(1)(b) of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to define a “public sector agency” as “a body established or appointed for a public purpose by or under a NSW Act “ or, alternatively, “any public authority constituted by or under a NSW Act”?

ISSUE 21

Should s 4(1) of the Health Records and Information Privacy Act 2002 (NSW) be amended to define a “public sector agency” as “a body established or appointed for a public purpose by or under a NSW Act or an affiliated health organisation” or, alternatively, “any public authority constituted by or under a NSW Act or an affiliated health organisation”?

5.56 Pursuant to s 4(5) of PPIPA and s 10 of HRIPA “personal information” under PPIPA and “health information” under HRIPA is not “collected” by a public sector agency or organisation if receipt of the information by the agency/organisation is unsolicited. The consequence of this is that at least IPPs 1, 2, 3 and 4,⁷⁰ and HPPs 1, 2, 3 and 4, which regulate collection of information, and possibly other IPPs and HPPs, do not apply to unsolicited information.

5.57 There are two issues that arise here that make it difficult to delineate the scope of the exemptions under s 4(5) of PPIPA and s 10 of HRIPA. First, when is information “unsolicited”? Secondly, if it is unsolicited, what IPPs or HPPs do not then apply to that information? The legislation does not make this explicit.

5.58 In regard to the first issue, there is a lack of consensus between the cases decided by the ADT.⁷¹ In KD v Registrar, New South Wales Medical Board, the ADT found that the applicant’s complaint to the New South Wales Medical Board was unsolicited and therefore not “collected” under PPIPA and further observed that “virtually all complaints received by investigative agencies will be unsolicited”.⁷² Privacy NSW, however, has warned agencies against treating complaints to them as unsolicited if the agency holds itself out as the appropriate body to contact in the event of dissatisfaction.⁷³

5.59 In KD v Registrar, New South Wales Medical Board, the ADT, having found that the information was unsolicited, found that IPPs 1, 2, 3 and 4 had no application.⁷⁴ In relation to the remaining IPPs, the Privacy Commissioner argued that IPPs 5-12⁷⁵ applied to personal information held by agencies, irrespective of whether that information was collected, within the meaning of PPIPA. That is, once an agency “holds” personal information, s 12-19 come into play.⁷⁶ The ADT held that while s 19 (IPP 12 – special restrictions on disclosure of personal information) catches all personal information held by an agency, however obtained, s 17 and 18 do not (IPPs 10 and 11 – limits on use and disclosure).⁷⁷ It held that it is implicit from the construction of these provisions that each applies only to information that has been collected.⁷⁸

5.60 The Government, in its response to the Attorney General’s statutory review of PPIPA, argued that where information is provided gratuitously and is not relevant to the function of the agency, it could be regarded as unsolicited and that, in such a case, it was difficult to see why an agency should be subjected to the same restrictions as for solicited material.⁷⁹ It concluded that the meaning of “unsolicited” needs further review. The statutory review recommended that PPIPA be amended to clarify that, while unsolicited information is not subject to the collection principles, the other IPPs do apply.⁸⁰ The Government neither supported nor rejected this recommendation but stated that it required further consideration.

5.61 The ADT’s submission to the statutory review queried whether its decision in KD v Registrar, New South Wales Medical Board gave a degree of operation to the “unsolicited information” exception that was unintended.⁸¹ It emphasised that an agency should not be exposed to the risk of contravening those IPPs that were formulated to protect a person from whom the agency actively sought information.⁸² However, once the agency is in possession of the information, in the ADT’s view, the agency should comply with the IPPs relating to security, use, disclosure, access and amendment.⁸³ The ADT went on to argue that:

according to KD, important limits that have been placed on use and disclosure may not apply because they only relate to information that has been “collected” and that term does not cover unsolicited information. This is a perverse result. It should be made clear that unsolicited information is not affected by the Collection principles but is otherwise subject to PPIPA.⁸⁴

ISSUE 22

Should the meaning of “unsolicited” in s 4(5) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 10 of the Health Records and Information Privacy Act 2002 (NSW) be clarified?

ISSUE 23

If information is “unsolicited”, what IPPs or HPPs, if any, should apply to that information? Should all of the provisions of the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) apply to unsolicited information, except the collection IPPs and HPPs?

5.62 Sections 23 and 24 of PPIPA exempt law enforcement agencies and investigative agencies from having to comply with certain of the IPPs if, generally speaking, the information relates to, or compliance with the sections interferes with, the agencies’ law enforcement, investigative or complaints-handling functions. Section 27 of PPIPA and s 17 of HRIPA specifically exempt the Independent Commission Against Corruption, the Police Service (NSW Police), the Police Integrity Commission and the NSW Crime Commission from compliance with all of the IPPs in PPIPA’s case,⁸⁵ and compliance with the Act as a whole, in HRIPA’s case, unless the information is in connection with the exercise of their “administrative and educative functions”.⁸⁶

5.63 This “administrative and educative functions” rider to the exemption ostensibly lessens the impact of the exemption itself on privacy protection. However, three aspects of its application may undermine this. First, the meaning of “administrative function” is not settled and may be construed more narrowly than Parliament intended. Secondly, a function may have a dual character, possessing both administrative and non-administrative purposes. For example, an administrative function may only be carried out as incidental to a non-administrative function, or necessary to ensure its effective exercise. In that case, the non-administrative function may not be isolated, with the application of IPPs to it, but be subsumed into the operational function. Related to this, if a function cannot easily be categorised as administrative or educative, it may automatically be categorised as operational, thereby coming within the exemption. This categorisation by default broadens the scope of s 27 of PPIPA and s 17 of HRIPA.

5.64 The difficulty faced in distinguishing administrative functions from operational functions is illustrated in YK v Commissioner of Police, NSW Police.⁸⁷ The applicant in that case, YK, complained to the ADT that a NSW Police officer had breached PPIPA by revealing to YK’s employer, NSW Health, information collected by the police in the course of their investigations into child sexual assaults allegedly committed by YK. NSW Police claimed that the conduct was exempt from the IPPs pursuant to s 27 because the information was disclosed in the course of carrying out its investigative functions.

5.65 The ADT referred to the decision of HW v Commissioner of Police, NSW Police Service, in which the Tribunal had said that s 27 sought “to draw a distinction between the core responsibility of the Police Service and its ‘administrative’ and educative’ functions”.⁸⁸ Having divided responsibilities into core and non-core, the ADT held that the meaning of “administrative” in s 27 should “be read down so as not to embrace those core responsibilities”.⁸⁹ It could not be used “to refer to the entirety of the administrative activity of the Police Service, which includes the investigation of a crime” but refers “to those activities that have to do with providing administrative support for the conduct of its core responsibilities”.⁹⁰ The ADT also acknowledged, however, that characterisation of some activities “in terms of core/administrative/educative may vary depending on the context that has given rise to the conduct in issue”.⁹¹

5.66 In the case before it, the ADT stated that the characterisation of the conduct as core or administrative was “ultimately a question of fact having regard to the circumstances in which the disclosure was made”.⁹² The ADT found that the disclosure of personal information about YK was made years after the assaults allegedly occurred and after NSW Police had completed its investigations and determined that there was insufficient evidence to prosecute, and were made to NSW Health to assist it in assessing YK as an employee. In those circumstances, the ADT held that the disclosure was made pursuant to “administrative” functions.⁹³ The facts of the case were complicated by a request to NSW Police from the Ombudsman for information about the allegations, the Ombudsman having become aware of the allegations through NSW Health. The case illustrates the difficult exercise that an agency (or the tribunal or the Privacy Commissioner if a complaint is made) must embark on to establish whether information can lawfully be exempted from the IPPs under s 27.

5.67 Lastly, agencies/organisations may themselves avoid categorising functions as administrative or educative in order to by-pass the application of IPPs to information collected in relation to them, or, in the case of health organisations, to avoid the application of HRIPA altogether.

5.68 The purpose of the exemption is to achieve “balance between the competing interests of the need for privacy protection of government-held information bases and the need for a reasonable flow of information for valid purposes of investigation and law enforcement”.⁹⁴

5.69 In order to facilitate investigation and law enforcement, s 27 of PPIPA and s 17 of HRIPA contain legitimate and necessary exemptions. The issue arises, however, as to whether the “administrative and educative functions” rider to the exemption has been weakened in practice so as to upset the balance of which the Attorney General spoke. The Privacy Commissioner pointed out to the review of PPIPA that the Government’s purpose in enacting s 27 was “not to protect secrecy in dealings or to protect the Government from accountability”⁹⁵ and submitted that, in keeping with this, the exemption should be defined more closely.⁹⁶

ISSUE 24

Should the meaning of, and distinction between, “administrative” and “educative” functions in s 27 of the Privacy and Personal Information Protection Act 1998 (NSW) and s 17 of the Health Records and Information Privacy Act 2002 (NSW) be more clearly defined?

ISSUE 25

Should the legislation explicitly provide that if a function is dual, the administrative function must be separately categorised?

ISSUE 26

Is the opportunity to complain to the Privacy Commissioner and challenge the categorisation of a function sufficient?

5.70 PPIPA specifically excludes State owned corporations (“SOCs”) from the definition of “public sector agency”. Accordingly, twenty-one corporatised government agencies, including Sydney Ferries, Railcorp, Sydney Water, NSW Lotteries, Landcom, Energy Australia and Integral Energy, are not regulated at all by PPIPA.⁹⁷

5.71 The exclusion of SOCs from the scope of PPIPA was vigorously debated during the passage of the legislation through New South Wales Parliament in 1998. The Opposition in the Legislative Council moved an amendment to bring SOCs within the statute’s ambit. The then Shadow Attorney General, the Hon J Hannaford, MLC, argued that all SOCs are “organs of the State” and are Government agencies that have been “corporatised to drive efficiencies within that agency”.⁹⁸ He concluded that “[a]dherence to privacy principles should not affect that efficiency”.⁹⁹ Further, he noted that the 1992 report by the Independent Commission Against Corruption on the unauthorised release of Government information cited SOCs as “amongst the worst offenders” in terms of selling private information.¹⁰⁰

5.72 In response, the then Attorney General, the Hon J W Shaw, QC, MLC noted that including SOCs within the scope of PPIPA would place them at a “competitive disadvantage” with the private sector, which, in 1998, had not yet been regulated by privacy legislation.¹⁰¹ The former Attorney General recognised the desirability of extending privacy laws to the private sector, but considered that this should be done at a national, rather than State, level.¹⁰² The intention was for SOCs to be covered by privacy legislation at a future time, when the rest of the private sector was similarly covered. The proposed amendment was passed in the Legislative Council, but overturned in the Legislative Assembly.

5.73 The Privacy Amendment (Private Sector) Act 2000 (Cth) began operation on 21 December 2001. That Act incorporated into the Privacy Act 1988 (Cth) 10 National Privacy Principles, which must be followed by private sector organisations as defined in the legislation. The definition of “organisation” in the Commonwealth Act specifically excludes State or Territory authorities and instrumentalities.¹⁰³ However, a separate section of the Privacy Act 1988 (Cth) provides that those authorities or instrumentalities may be covered by the Act if prescribed in the regulations made under the legislation.¹⁰⁴ The Privacy (Private Sector) Regulations 2001 (Cth) prescribes four SOCs as organisations for the purposes of the Privacy Act 1988 (Cth). They are:

• Australian Inland Energy Water Infrastructure;
• Country Energy;
• Energy Australia; and
• Integral Energy.¹⁰⁵

5.75 The Government’s original intention in excluding SOCs from PPIPA “to ensure a level playing field”¹⁰⁶ is no longer valid. Secondly, there is no even-handedness in the patchwork coverage of SOCs by privacy legislation that now prevails. Thirdly, the current approach of privacy legislation to SOCs is not consistent with the principal objectives of SOCs prescribed by s 20E of the State Owned Corporations Act 1989 (NSW). These include: to be a successful business and, to this end, to operate at least as efficiently as any comparable businesses;¹⁰⁷ and to exhibit a sense of social responsibility by having regard to the interests of the community in which it operates.¹⁰⁸

5.76 In relation to the first objective, bringing some SOCs under the jurisdiction of privacy legislation but not others may make it harder for certain SOCs to operate as efficiently as comparable businesses not bound by privacy obligations. In relation to the second objective, a SOC that is immune from privacy obligations is not fully exhibiting a sense of social responsibility in that area. Being aware of this shortcoming, Sydney Water voluntarily complies with the IPPs “as a matter of customer respect and trust”.¹⁰⁹

5.77 Some SOCs indicated to the Attorney General’s review of PPIPA that they wanted to be covered by the Commonwealth Privacy Act 1988 in order to take advantage of exemptions relating to the transfer of personal information between agencies.¹¹⁰

5.78 The Commission is of the view that all SOCs should be covered by privacy legislation, whether by PPIPA or the Privacy Act 1988 (Cth), providing there is no duplication of coverage.

PROPOSAL 6

All State owned corporations should be covered by privacy legislation.

5.79 While PPIPA specifically excludes SOCs from the definition of “public-sector agency”, the Act is silent on the status of non-government organisations contracted by public-sector agencies to provide services to the public. To come within PPIPA’s ambit, government contractors would have to be specifically included by the legislation, as it would be straining statutory interpretation to define government contractors as “public sector agencies”.

5.80 There is clearly a disparity in government contractors, standing in the shoes of a public sector agency, having no obligations to protect the privacy of the personal information of the customers with whom they deal. For example, all insurers contracted to Workcover are private and Privacy NSW reports that there are numerous complaints about breaches of privacy by these insurers. They are not bound by the IPPs and there is no internal review of conduct.

5.81 Both the Commonwealth and Victorian jurisdictions have seen fit to regulate protection of information privacy where a public sector agency has contracted the services of a private organisation. Section 95B(1) of the Privacy Act 1988 (Cth) provides that the agency must “take contractual measures to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an [IPP] if done or engaged in by the agency”. Section 17 of the Information Privacy Act 2000 (Vic) provides that “a State contract may provide for the contracted service provider to be bound by the [IPPs] and any applicable code of practice … in the same way and to the same extent” as the public sector agency itself would have been bound if it had provided the service directly.

5.82 Privacy NSW has argued that PPIPA should include a mandatory requirement binding contractors to the same privacy standards, being the applicable IPPs and any modifications under a privacy code of practice, as apply to the agency itself.

5.83 The Attorney General’s review of PPIPA recommended that PPIPA should provide a structure to bind government contractors providing services that require management of personal information, so as to “conform to the terms” of PPIPA, unless they are otherwise bound by equivalent privacy laws.¹¹¹

5.84 The Commission agrees with this recommendation and the view of Privacy NSW and accordingly makes the following proposal.

PROPOSAL 7

The Privacy and Personal Information Protection Act 1998 (NSW) should be amended to provide that where a public sector agency contracts with a non-government organisation to provide services for government, the non-government organisation should be contractually obliged to abide by the IPPs and any applicable code of practice in the same way as if the public sector agency itself were providing the services.

Background

5.85 PPIPA deals primarily with safeguarding information privacy. It is clear from the Parliamentary debates that saw the passage of the Privacy and Personal Information Protection Bill through both Houses that the focus was on data protection. However, there is in PPIPA protection of other facets of privacy. The purpose of the Act is generally “to promote the protection of privacy and the rights of the individual”¹¹² and the Privacy Commissioner is given a general power to “receive, investigate and conciliate complaints about privacy related matters”.¹¹³ In addition, s 45(1) of PPIPA provides that complaints may be made to (or by) the Privacy Commissioner about the alleged violation of, or interference with, the privacy of the individual.¹¹⁴ That PPIPA offers general privacy protection is clear, but the scope of this protection is indeterminate.

5.86 The second aspect of PPIPA’s general privacy protection is that the only remedy available to a complainant is conciliation by the Privacy Commissioner. If the alleged transgressor of physical privacy is a public sector agency, there is no right of internal review and subsequent appeal to the ADT.

5.87 This section considers whether the scope of the legislation can be amplified by giving express and defined protection to more general aspects of privacy, in particular, physical privacy, and by offering a wider range of remedies to redress invasions of privacy.

What are “privacy related matters”?

5.88 There is no guidance in the Act as to what “privacy related matters” might appropriately fall within the scope of s 36(2)(k). In investigating a complaint, Privacy NSW relies, initially at least, on what is termed “the Prosser test”.¹¹⁵ This is a standard based on:

• the intrusion upon the plaintiff’s seclusion or solitude, or into his or her private affairs;
• public disclosure of embarrassing facts about the plaintiff;
• publicity that places the plaintiff in a false light in the public eye; and
• appropriation of the plaintiff’s name or likeness.

5.90 A different, more pragmatic, approach is to identify categories of privacy in order to imbue the term with a workable meaning. CP 1 illustrated this approach by reference to the categories of privacy identified by Privacy International, ¹¹⁷ namely:

• information privacy, or data protection;
• bodily privacy, including protection against invasive procedures and DNA testing;
• privacy of communications, covering security of electronic and standard mail and telephone communications; and
• territorial privacy, covering surveillance and protection against other intrusions into people’s physical space.

• information collection, including surveillance and interrogation;
• information processing;
• information dissemination; and
• intrusion.¹¹⁸

Bodily privacy

5.93 The main areas of protection in this category are in relation to invasive procedures and genetic testing. What is relevant here is the actual physical privacy afforded an individual, not the privacy of personal information collected as a result of genetic testing or other medical procedures, or contained in genetic and other bodily samples. The privacy of personal information in the form of body samples or genetic characteristics is governed by HRIPA.

5.94 The issue that arises is whether PPIPA can effectively, and appropriately, offer protection to an individual whose bodily privacy has been invaded, or whether this is not better dealt with by specific legislation.

5.95 For example, the Human Tissue Act 1983 (NSW) regulates donation of tissue (including blood and semen) by living persons, removal of tissue from deceased persons and the conduct of post-mortem examinations. It governs such things as issues of consent and use of tissue removed during medical, dental or surgical treatment. Another example of specialised legislation in the area of bodily privacy is the Crimes (Forensic Procedures) Act 2000 (NSW). This Act regulates the carrying out of forensic procedures on criminal suspects, convicted offenders and other persons, and the retention, admissibility and destruction of forensic material. It also regulates storage of information on a DNA database. An example of specialised legislation at the Commonwealth level is the Genetic Privacy and Non-discrimination Bill 1998. If enacted, it would protect the genetic privacy of individuals, prohibit genetic discrimination and provide for the collection, storage and analysis of DNA samples.¹¹⁹

5.96 At this point, the Commission is leaning towards the view that such a complex and specialised area as bodily privacy is best regulated by dedicated legislation that covers all aspects of the subject matter, including privacy, consent, authority to collect and use, and so forth. Provisionally, this approach appears to be preferable to bringing bodily privacy under the umbrella of PPIPA. However, the Commission would like to receive submissions on this issue.

ISSUE 27

Should the Privacy and Personal Information Protection Act 1998 (NSW) contain express provisions for the general regulation of bodily privacy?

5.97 Privacy of communications covers the security of standard mail and electronic communications. Electronic communications include computer communications such as email, electronic data interchange, “chat room” correspondence, instant messaging, mobile phone calls and messaging, PDA communications and landline telephone calls.

5.98 The Telecommunications (Interception and Access) Act 1979 (Cth) prohibits, except where specifically authorised, two main heads of conduct: (1) the interception of communications passing over a telecommunication system;¹²⁰ and (2) access to stored communications. “Communication” is defined to include conversations or messages in the form of speech, music or other sounds, data, text, visual images or signals, or in any other form or combination of forms.¹²¹ A “stored communication” is a communication that: is not passing over a telecommunications system; is held on equipment operated by and in the possession of a carrier; and cannot be accessed by a third party without the carrier’s assistance. Accessing a stored communication means listening to, reading or recording it by means of equipment operated by a carrier, without the knowledge of the intended recipient of the communication.

5.99 The Telecommunications (Interception and Access) Act 1979 (Cth) was amended in 2006 to add the prohibition on accessing stored communications.¹²² Case law prior to the 2006 amendment held, in relation to telephone interceptions, that the Telecommunications (Interception) Act 1979 (Cth) was intended to cover the field, thus displacing any State legislation that might otherwise apply.¹²³ It is probable, although not entirely clear, that the courts would also have held that all other types of communications intercepted during their passage across a telecommunications system would have been regulated exclusively by the Telecommunications (Interception) Act 1979 (Cth). This Constitutional issue has not been tested in the courts in relation to the Telecommunications (Interception and Access) Act 1979 (Cth) but there is no evidence to suggest that the amendment changes the Commonwealth’s intention that the Act should cover the field. For that reason, it is difficult to see how PPIPA/HRIPA could include provisions that regulate the privacy of telecommunications.

5.100 The privacy of information that is obtained by telecommunications providers is a separate, albeit related, issue and not relevant to the present discussion. Use and disclosure of that information is regulated by the Commonwealth Telecommunications Act 1997 and must remain in the federal domain.

Territorial privacy

5.101 Territorial privacy covers surveillance and protection against other intrusions into people’s physical space. A large number of complaints received by the Privacy Commissioner relate to the use of Closed Circuit Television (CCTV). For example, Privacy NSW has investigated a number of complaints that neighbours are training cameras on the complainant’s property (sometimes with both audio and video surveillance mechanisms), filming the complainant, and often the complainant’s children, going about their business in their own home and backyard.¹²⁴ This is apparently being done to harass or intimidate the complainant,¹²⁵ or as revenge in the context of neighbour-neighbour disputes.

5.102 Because the cameras are fixed on the neighbour’s own private property, there is nothing that Privacy NSW can do to remedy the situation. There is no specific legislation regulating surveillance in residential settings. As its name makes clear, the Workplace Surveillance Act 2005 (NSW) only regulates surveillance in a workplace, prohibiting covert surveillance of employees in the workplace without appropriate notice. For surveillance outside the workplace, the complainant’s only options are to bring an action in nuisance,¹²⁶ involving costly litigation with an uncertain outcome, or to seek an Apprehended Violence Order. Again, success of this action is far from certain. The Crown needs to prove beyond reasonable doubt that the filming of the complainant amounts to harassment or molestation.¹²⁷

5.103 In 2005, the Commission published its final report on surveillance. The Commission recommended the enactment of a Surveillance Act to regulate all overt and covert surveillance activity in New South Wales.¹²⁸ Under the proposed Act, the Privacy Commissioner would have an important role in the regulation of overt surveillance.¹²⁹ Although the Government has indicated that it will not be implementing the recommendation, the Commission stands by its conclusions and recommendations, and its preferred position continues to be that surveillance be regulated under a dedicated Surveillance Act. Issues arising out of surveillance are separate from issues relating to information privacy, and should be kept separate. However, we invite submissions addressing the question whether territorial privacy should be protected in PPIPA.

ISSUE 28

Should the Privacy and Personal Information Protection Act 1998 (NSW) contain express provision for breaches of territorial privacy?

5.104 The whole question of what aspects of privacy PPIPA should protect, and whether PPIPA should provide comprehensive remedies for breaches of privacy, is complicated by the possible enactment of a statutory cause of action for invasion of privacy.

5.105 The Commission published a consultation paper in May 2007 (“CP 1”)¹³⁰ seeking comment on whether there should be a general cause of action for invasion of privacy and, if so, what the boundaries of that cause of action should be. How the provisions of PPIPA would dovetail with a statutory cause of action is crucial to the resolution of the issues raised above but the outcome of the enquiry set in train by CP 1 will not be known for some time. It will involve extensive research, consultation, deliberation of submissions and debate, and may or may not result in a statutory cause of action for invasion of privacy. If it does, what conduct would be covered, what remedies would be available, and which court or tribunal would have jurisdiction under the statute, is yet to be determined.

5.106 Having said that, because the two enquiries – this and CP 1 – have different emphases, it is possible to pursue an examination of the scope of privacy protection under PPIPA and HRIPA at this time. Put simply, PPIPA and HRIPA can be viewed as offering preventative, or “front-end”, protection, while a statutory cause of action can be viewed as offering curative, or “back-end”, protection. The schemes of PPIPA and HRIPA put in place a framework to ensure that information privacy is protected and to forestall breaches of privacy; whereas a statutory cause of action for invasion of privacy would offer redress for breaches, or invasions, of privacy that occur. There is, of course, overlap. PPIPA and HRIPA also offer mechanisms to deal with breaches of privacy; and a cause of action for invasion of privacy acts as a preventative measure in privacy protection by putting people on notice what conduct will and will not be tolerated by the law.

5.107 The second difference in emphasis between the two enquiries is on whom the duty of compliance falls. Other than s 45, which implicates all individuals and organisations in obligations to respect privacy, the provisions of PPIPA regulate public sector agencies. A statutory cause of action for invasion of privacy would not be likewise limited. It would apply to all individuals and bodies whether public or private. While HRIPA regulates both the public and private sectors, Chapter 4 raises the possibility, which the Commission favours, of transferring responsibility for private sector health service agencies and providers from New South Wales to the Commonwealth, leaving the State legislation applying to the public sector only.

5.108 Elements common to the two inquiries are the challenge of setting the boundaries of privacy protection and the appropriate remedies for breaches. The challenge lies both in determining the reach of a statutory cause of action and of PPIPA and resolving the overlap between the statutes. Although the overlap is reduced (to State authorities) if a statutory cause of action is enacted at both the federal and State levels, there is still a question of overlap with the rest of FOI legislation, meaning that an overlap with information privacy will continue to exist.

5.109 Simultaneously with this inquiry, the Australian Law Reform Commission (“ALRC”) is conducting a review of Commonwealth privacy law. In its Discussion Paper 72,¹³¹ it has combined the two equivalent phases of the Commission’s review – the operation of existing privacy legislation and the possibility of a statutory cause of action for invasion of privacy - in the one discussion paper and has reconciled the two paths of inquiry in the following way. It proposes that a statutory cause of action be introduced at the federal level and that this be included in the Privacy Act 1988 (Cth). The ALRC proposes that the Privacy Act would then cover: interference with an individual’s home or family life; surveillance; and interference with, or misuse or disclosure of, correspondence or private written, oral or electronic communications.¹³².

5.110 The Commission’s final report will coalesce the responses to its CP 1, the ALRC’s DP 72 and this paper to make recommendations that offer the best mechanisms for protecting, and redressing invasions of, all aspects of an individual’s privacy, in a framework of harmonisation with the Commonwealth.

ISSUE 29

If a statutory cause of action for invasion of privacy is to be enacted, what should be its relationship be to the Privacy and Personal Information Protection Act 1998 (NSW)?(Footnotes)

1. Exemptions can also be created in regulations, codes of practice and public interest directions but this discussion is confined to exemptions under the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) themselves.

2. GA v Department of Education and Training and New South Wales Police (GD) [2004] NSWADTAP 18, [48] (in relation to PPIPA).

3. Coco v The Queen (1994) 179 CLR 427; Taciak v Commissioner of Australian Federal Police (1995) 131 ALR 319.

4. The exceptions contained in s 4(3)(a)-(j) and (k) of PPIPA are mirrored in s 5(3)(a), (b), (f)-(m) and (o) of HRIPA. HRIPA does not except adoption information obtained under the Adoption Act 2000 (NSW), as PPIPA does in s 4(3)(ja). HRIPA has four further exceptions that PPIPA does not have: s 5(3)(c) - information contained in a document kept in a library, art gallery or museum for purposes of reference study or exhibition; (d) – information contained in a record available for public inspection under the State Records Act 1998 (NSW); (e) – information contained in archives within the meaning of the Copyright Act 1968 (Cth) and (n) – information forming part of an employee record within the meaning of the Privacy Act 1988 (Cth) held by a private sector person.

5. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998 (26 May 2004), 5.

6. NSW Ombudsman, Submission to the Review of the Privacy and Personal Information Protection Act 1998 (April 2004), 28.

7. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998 (2004), [3.1.2], 63. See also New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, (Tabled 25 September 2007, Legislative Assembly), [9.9].

8. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998 (2004), [3.1.2], 63. See also New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [9.9].

9. Privacy and Personal Information Protection Act 1998 (NSW) s 3.

10. A Johnston, PPIPA in Practice: An Annotated Guide to the Privacy and Personal Information Protection Act 1998 (NSW) (2007), [22].

11. Privacy NSW illustrates this unsatisfactory lack of clarity by asking “What is a publication?” and “How widely must it be distributed or read for it to be considered ‘publicly available’?”: Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998, [3.1.2], 64. The existence of a distinct exemption relating to information on a “public register” creates further uncertainty.

12. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998, [3.1.2], 64.

13. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998, [3.1.2], 64. See also New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [9.17].

14. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998, [3.1.2], 63.

15. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998, [3.1.2], 64.

16. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [9.18].

17. Commissioner of Police, New South Wales v EG; EG v Commissioner of Police, New South Wales (GD) [2004] NSWADTAP 10.

18. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998, [3.1.2], 64.

19. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998, [3.1.2], 65.

20. NW v Fire Brigades [2005] NSWADT 73, [32]. See A Johnston, PPIPA in Practice: An Annotated Guide to the Privacy and Personal Information Protection Act 1998 (NSW), [21].

21. Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998 (2004), [3.1.2], 66. See also New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [9.20].

22. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [9.17].

23. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 10.

24. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 10.

25. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 10.

26. Protected Disclosures Act 1994 (NSW) s 8

27. Protected Disclosure Act 1994 (NSW) s 3.

28. IPP 6 allows a person to discover whether the agency holds personal information; and IPPs 7 and 8 give an individual rights to access, and require amendments to, his or her personal information.

29. Section 20(5) of PPIPA provides: “Without limiting the generality of section 5, the provisions of the Freedom of Information Act 1989 that impose conditions or limitations (however expressed) with respect to any matter referred to in section 13, 14 or 15 are not affected by this Act, and those provisions continue to apply in relation to any such matter as if those provisions were part of this Act.”

30. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [7.1].

31. See NSW Ombudsman, Submission to the Review of the Privacy and Personal Information Protection Act 1998, 19.

32. NSW Ombudsman, Submission to the Review of the Privacy and Personal Information Protection Act 1998, 28.

33. NSW Ombudsman, Submission to the Review of the Privacy and Personal Information Protection Act 1998, 28.

34. KO v Commissioner of Police (GD) [2004] NSWADTAP 21, [32]. See A Johnston, PPIPA in Practice: An Annotated Guide to the Privacy and Personal Information Protection Act 1998 (NSW), [23].

35. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [9.29].

36. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [3.1.2], 67.

37. NSW Ombudsman, Submission to the Review of the Privacy and Personal Information Protection Act 1998, 28.

38. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [9.2].

39. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [9.2].

40. New South Wales, Parliamentary Debates, Legislative Council, In Committee, 28 October 1998, 9155 (the Hon J P Hannaford,).

41. New South Wales, Parliamentary Debates, Legislative Council, In Committee, 28 October 1998, 9155 (the Hon J W Shaw).

42. New South Wales, Parliamentary Debates, Legislative Council, In Committee, 28 October 1998, 9155 (the Hon J W Shaw).

43. New South Wales, Parliamentary Debates, Legislative Council, In Committee, 28 October 1998, 9156 (the Hon Dr A ChesterfieldEvans).

44. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [9.22].

45. Y v Director General, Department of Education [2001] NSWADT 149.

46. Y v Director General, Department of Education [2001] NSWADT 149, [36].

47. See Y v Director General, Department of Education [2001] NSWADT 149, [36]: “it would be an unusual case where the exclusion would apply outside what I have described as the routine personnel context…”

48. PPIPA is “[a]n Act to provide for the protection of personal information, and for the protection of the privacy of individuals generally; …”

49. PN v Department of Education and Training [2006] NSWADT 122.

50. The definition of “personal information” includes opinion: PPIPA s 4(1).

51. See Department of Education and Training v PN (GD) [2006] NSWADTAP 66. Note that the Appeal Panel granted the Department leave to appeal because “the Department’s contention was clearly arguable”: [7].

52. PN v Department of Education and Training [2006] NSWADT 122, [56]. See Y v Director General, Department of Education [2001] NSWADT 149; GL v Director-General, Department of Education and Training [2003] NSWADT 166; and EG v Commissioner of Police, New South Wales Police Service [2003] NSWADT 150.

53. Section 14 of the Privacy and Personal Information Protection Act 1998 (NSW) provides: “A public sector agency that holds personal information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information.”

54. SW v Forests New South Wales [2006] NSWADT 74. See Vice-Chancellor, Macquarie University v FM [2005] NSWCA 192, [34]; see also Re Pasla and Australia Postal Corporation (1990) 20 ALD 407, 413: film held to be personal information for the purposes of the Privacy Act 1988 (Cth).

55. Vice-Chancellor, Macquarie University v FM [2005] NSWCA 192, [34].

56. Crown Solicitor’s Office, New South Wales, Submission, [3.9]. IPP 2 (s 9) – collection of information directly from the individual; IPP 3 (s 10) – making the individual from who information is collected aware of certain things.

57. See Vice-Chancellor, Macquarie University v FM [2005] NSWCA 192 where it was held that information in the minds of employees was not personal information. A key reason for the Court’s conclusion was the impossibility of applying most of the IPPs to that information.

58. Crown Solicitor’s Office, New South Wales, Submission, [3.5].

59. Crown Solicitor’s Office, New South Wales, Submission, [3.5] and [4.1].

60. Police Force of Western Australia v Ayton [1999] WASCA 233: “I think it must be accepted that the disclosure would be disclosure about an individual whose identity is apparent from the document, notwithstanding that reference must be made to other sources to ascertain the names of those individuals.” (Wheeler J), [38].

61. Police Force of Western Australia v Ayton [1999] WASCA 233, (Wheeler J), [38].

62. NSW Department of Health, Consultation (3 December 2007).

63. McNamara v Consumer Trader and Tenancy Tribunal (2005) 221 CLR 646.

64. Crown Solicitor’s Office, New South Wales, Submission, [3.1].

65. Crown Solicitor’s Office, New South Wales, Submission, [3.3].

66. See the minority decision in Wynyard Investments Pty Ltd v Commissioner for Railways (NSW) (1955) 93 CLR 376.

67. See McNamara v Consumer Trader and Tenancy Tribunal (2005) 221 CLR 646, [33] (McHugh, Gummow, Heydon JJ). However, in New South Wales the issue is now expressly clarified by s 13A of the Interpretation Act 1987 (NSW), inserted into the Act in 2006 (Interpretation Amendment Act 2006 (NSW)). This section states that if an Act provides that a body is a New South Wales Government agency, or a statutory body representing the Crown, the body has the status, privileges and immunities of the Crown.

68. NSW Department of Health, Consultation (3 December 2007).

69. Section 13 of the Health Service Act 1997 (NSW) describes “affiliated health organisations” as “certain non-profit, religious, charitable or other non-government organisations and institutions to be treated as part of the public health system where they control hospitals, health institutions, health services or health support services that significantly contribute to the operation of that system”.

70. Privacy and Personal Information Protection Act 1998 (NSW) s 8, 9, 10 and 11.

71. See A Johnston, PPIPA in Practice: An Annotated Guide to the Privacy and Personal Information Protection Act 1998 (NSW), [28].

72. KD v Registrar, New South Wales Medical Board [2004] NSWADT 5, [27].

73. Privacy NSW, Consultation (2 July 2007).

74. Privacy and Personal Information Protection Act 1998 (NSW) s 8, 9, 10 and 11.

75. Privacy and Personal Information Protection Act 1998 (NSW) s 12, 13, 14, 15, 16, 17, 18 and 19.

76. KD v Registrar, New South Wales Medical Board [2004] NSWADT 5 [28].

77. KD v Registrar, New South Wales Medical Board [2004] NSWADT 5 [29]. See also HW v Director of Public Prosecutions (No 2) [2004] NSWADT 73.

78. “Section 17 refers to information held for a purpose ‘other than that for which it was collected. ’ This seems to me to confine the relevant information to information that had been collected by the agency for one purpose and prevents it being used for another. Critically, it relates to collected information. The interpretation of s 18 is more difficult but I think that the same implication obtains. Section 18(1)(a) again refers to the purpose for which information has been collected. Sub-section (1)(b) refers to personal information “of that kind” held by an agency. I think that there is a reasonable inference that this refers to “collected information” also, although it is not as clear in this instance as in (1)(a). It may well also refer to the wider category of unsolicited information. Given that this is beneficial legislation, s 18(1)(b) ought be given the wider interpretation. That view is strengthened by the fact that s 18(2) refers to ‘the purpose for which the information was given to it’ rather than, as in s 18(1)(a), ‘for which the information was collected’.”: KD v Registrar, New South Wales Medical Board [2004] NSWADT 5, [29].

79. New South Wales Government, Response to the Report on the Statutory Review of the Privacy and Personal Information Protection Act 1998, 8.

80. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, Recommendation 16.

81. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 9.

82. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 10. For example, IPPs relating to notice of purpose of collection and intended uses of the information.

83. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 10.

84. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 10.

85. Privacy and Personal Information Protection Act 1998 (NSW), s 27(1).

86. Privacy and Personal Information Protection Act 1998 (NSW), s 27(2).

87. YK v Commissioner of Police, New South Wales Police [2008] NSWADT 81.

88. HW v Commissioner of Police, New South Wales Police Service [2003] NSWADT 214, [25].

89. HW v Commissioner of Police, New South Wales Police Service & Anor [2003] NSWADT 214, [27].

90. HW v Commissioner of Police, New South Wales Police Service & Anor [2003] NSWADT 214, [29].

91. HW v Commissioner of Police, New South Wales Police Service & Anor [2003] NSWADT 214, [30].

92. YK v Commissioner of Police, New South Wales Police [2008] NSWADT 81, [26].

93. YK v Commissioner of Police, New South Wales Police [2008] NSWADT 81, [33].

94. New South Wales, Parliamentary Debates, Legislative Council, Second Reading Speech, 14 October 1998, 8251 (the Hon J W Shaw).

95. New South Wales, Parliamentary Debates, Legislative Council, Second Reading Speech, 14 October 1998, 8251 (the Hon J W Shaw).

96. Privacy NSW, Submission to the Review of the Privacy and Personal Information Protection Act 1998, 74.

97. See State Owned Corporations Act 1989 (NSW) sch 5 for a list of all statutory State owned corporations.

98. New South Wales, Parliamentary Debates, Legislative Council, 28 October 1998, In Committee, 9151-9152 (the Hon J Hannaford).

99. New South Wales, Parliamentary Debates, Legislative Council, 28 October 1998, In Committee, 9151-9152 (the Hon J Hannaford).

100. New South Wales, Parliamentary Debates, Legislative Council, 25 November 1998, In Committee, 10562 (the Hon J Hannaford).

101. New South Wales, Parliamentary Debates, Legislative Council, 28 October 1998, In Committee, 9152 (the Hon J Hannaford).

102. New South Wales, Parliamentary Debates, Legislative Council, 17 September 1998, Second Reading Speech, 7601 (the Hon J W Shaw).

103. See Privacy Act 1988 (Cth) s 6C.

104. Privacy Act 1988 (Cth) s 6F.

105. Privacy (Private Sector) Regulations 2001 (Cth) cl 3A.

106. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [9.29].

107. State Owned Corporations Act 1989 (NSW) s 20E(1)(a)(i).

108. State Owned Corporations Act 1989 (NSW) s 20E(1)(b).

109. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [8.7].

110. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, [8.8].

111. New South Wales Attorney General’s Department, Review of the Privacy and Personal Information Protection Act 1998, Recommendation 13.

112. Privacy and Personal Information Protection Act 1998 (NSW), Long Title. See also New South Wales, Parliamentary Debates, Legislative Council, 17 September 1998, Second Reading Speech, 7600 (the Hon J W Shaw).

113. Privacy and Personal Information Protection Act 1998 (NSW), s 36(2)(k).

114. The Commissioner may also make a complaint on his or her own initiative: Privacy and Personal Information Protection Act 1998 (NSW), s.45(1).

115. The Office of the New South Wales Privacy Commissioner, Protocol for the Handling of Complaints by Privacy NSW (22 July 2002, revised July 2006), [2.3.2.3]. The “Prosser Test” is the standard described in the 1973 Report to the New South Wales Parliament on the Law of Privacy: W L Morison, Report on the Law of Privacy (No 170, Parliament of New South Wales, 1973), [22]-[23]. In that report, Professor Morison referred extensively to the United States tort of privacy authoritatively summarised by Dean William L Prosser: W L Prosser, “Privacy” (1960) California Law Review 48, 383. See New South Wales Law Reform Commission, Invasion of Privacy, Consultation Paper 1 (2007), Ch 4 for an extensive discussion of the Prosser Test and of the law of privacy protection in the United States.

116. NSWLRC CP 1, [1.12-1.18]. See also Australian Law Reform Commission, Review of Privacy (Discussion Paper 72, 2007), [1.29]-[1.63].

117. Privacy International, Privacy and Human Rights 2000 Overview http://www.privacyinternational.org/survey/phr2000/overview.html at 7 February 2008.

118. D J Solove, “A Taxonomy of Privacy” (2006) 154 University of Pennsylvania Law Review 477, 488-489. See NSWLRC CP ‘1 [1.17]-[1.18].

119. This may not, however, come to pass as the Bill was introduced into the Commonwealth Parliament in 1998, restored in 2004, but lapsed again on 15 October 2007.

120. Telecommunications (Interception) Act 1979 (Cth) s 7.

121. Telecommunications (Interception) Act 1979 (Cth) s 5. The definition of “interception” refers only to “listening to or recording” such communications: s 6.

122. Telecommunications (Interception) Amendment Act 2006 (Cth). The name of the Act was also changed from the Telecommunications (Interception) Act 1979 (Cth) to its present name, the Telecommunications (Interception and Access) Act 1979 (Cth) to reflect its expanded scope.

123. Edelsten v Investigating Committee of New South Wales (1986) 7 NSWLR 222 at 230; Miller v Miller (1978) 141 CLR 269. See Constitution Act s 109.

124. See, for example, Privacy NSW, Annual Report 2005-06 (2006), 28.

125. One complaint of surveillance of this nature, for example, arose out of the complainant’s refusal to withdraw objections to the neighbour’s Development Application.

126. See Raciti v Hughes (unreported, New South Wales Supreme Court, Young J, 3667 of 1995, 19 October 1995).

127. Crimes Act 1900 (NSW) s 562D(1).

128. New South Wales Law Reform Commission, Surveillance: Final Report (Report 108, 2005); New South Wales Law Reform Commission, Surveillance: An Interim Report (Report 98, 2001).

129. NSWLRC Report 108, Recommendation 2.

130. NSWLRC CP 1.

131. ALRC DP 72.

132. ALRC DP 72, Proposal 51.