7. Other operational issues
Updates and background for this project (Digest)
INTRODUCTION
7.1 This chapter continues the examination, begun in Chapter 6, of problems, uncertainties and ambiguities with the operation of the Privacy and Personal Information Protection Act 1998 (NSW) (“PPIPA”) and the Health Records and Information Privacy Act 2002 (NSW) (“HRIPA”).
7.2 Whereas Chapter 6 was confined to assessing the Information Protection Principles (“IPPs”) and the Health Privacy Principles (“HPPs”), this chapter deals with a number of diverse issues, including:
- a dichotomy in the operation of exemptions from the IPPs where an agency is investigating a complaint;
- uncertainty in the operation of exemptions from the IPPs where non-compliance is permitted or required under an Act or any other law;
- ambiguity in the scope of privacy codes of practice;
- uncertainty and inconsistency in the meaning of the word “person” in Part 4 of PPIPA, particularly in s 37 and 38;
- a drawback with the operation of the public interest directions provisions;
- issues arising in relation to making a complaint including: who may make a complaint; criteria to be applied by the Privacy Commissioner; how s 45 and 36(2)(k) of PPIPA operate together; the application of s 51 of PPIPA to withdrawn complaints; and uncertainty with the operation of s 65 of PPIPA, which deals with reports to Parliament; and
- issues arising in relation to review of conduct by the Administrative Decisions Tribunal (“ADT”) including: the nature of the ADT’s jurisdiction; the absence of a limitation period for review by the ADT; the ADT’s powers on review; the role of the Privacy Commissioner in appeals from ADT decisions; and whether final determination of complaints should be made by the ADT or the Privacy Commissioner.
EXEMPTIONS
Section 24 of PPIPA – exemptions relating to investigative agencies
7.3 The exemptions from compliance with IPPs 2, 3, 10 and 11 (PPIPA s 9, 10, 17 and 18) contained in s 24 apply to an agency that is itself investigating a complaint.1 The exemptions do not, however, apply when an agency is disclosing personal information to an investigative agency for the purpose of that investigative agency carrying out its complaints-handling or investigative functions.
7.4 This seems to the Commission to be a dichotomy that is difficult to justify. It also creates problems for agencies that do not have coercive powers, or in situations where coercive powers are not available.2 While the issue has been addressed in a direction made by the Privacy Commissioner pursuant to s 41, entitled “The use of information for investigative purposes”, we query whether it should be addressed in legislation.
ISSUE 45
Should s 24 of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to exempt an agency from compliance with IPPs 2, 3, 10 and 11 when the agency is disclosing personal information to an investigative agency for the purpose of that investigative agency carrying out its complaint handling or investigative functions?
Section 25 of PPIPA – exemptions where non-compliance is otherwise permitted
7.5 Pursuant to s 25 of PPIPA, an agency is not required to comply with IPPs 2, 3, 6, 7, 8, 10, 11 and 12 (PPIPA s 9, 10, 13, 14, 15, 17 18 and 19)3 if (a) it is “lawfully authorised or required not to comply”; or (b) “non-compliance is otherwise permitted … under an Act or any other law”.
7.6 The Crown Solicitor suggests that it is not clear whether exemption (a) should be limited to cases where a statutory provision expressly refers to the relevant IPP and provides that an agency is authorised or required not to comply with it.4
7.7 While this limited interpretation of s 25(a) is defensible, in HW v Commissioner of Police, New South Wales Police Service, the ADT took a broader view, holding that disclosure of documents to the District Court by the DPP was done “lawfully and in accordance with the duty to the court” because the disclosure was pursuant to a subpoena. In those circumstances, s 25(a) was held to apply.5
ISSUE 46
(a) Is the correct interpretation of s 25(a) of the Privacy and Personal Information Protection Act 1998 (NSW) that it applies to cases where a statutory provision expressly refers to the relevant IPP and provides that an agency is authorised or required not to comply with it, or is a wider interpretation correct, such as adopted by the Administrative Decisions Tribunal in HW v Commissioner of Police, New South Wales Police Service?
(b) Should s 25(a) of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to clarify its application?
7.8 The reference in s 25(b) to “any other law” has been held by the Appeal Panel of the ADT to include the common law.6 The Crown Solicitor has suggested that this would be made clearer by re-ordering the words in that subsection, so that the words in parenthesis “(including the State Records Act 1998)” followed the words “under an Act”.7 The Commission agrees that this would remove any doubt that “any other law” is restricted to legislative instruments. It is also a simple, non-controversial, amendment to make.
PROPOSAL 16
Section 25(b) of the Privacy and Personal Information Protection Act 1998 (NSW) should be amended to read as follows:
“A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17 18 or 19 if:
…
(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act (including the State Records Act 1998) or any other law.”
Application of s 25(b) to a preliminary inquiry by the Ombudsman
7.9 An issue arises as to whether disclosure of personal information by an agency in response to a preliminary inquiry made by the Ombudsman pursuant to s 13AA of the Ombudsman Act 1974 (NSW) attracts the exemption of s 25(b) of PPIPA.8 If it does not, the disclosure must comply with the restrictions imposed by IPP 11 (PPIPA s 18).
7.10 The Ombudsman has been advised that s 25(b) does not apply to a preliminary inquiry and has interpreted this to mean that agencies are prevented from disclosing “personal information” to the Ombudsman, or any other complaints-handling body, in response to informal or preliminary inquiries.9 The Ombudsman points out that it deals with most complaints within its general and community services jurisdictions by conducting preliminary inquiries to decide whether to conduct a formal investigation into the conduct about which there has been a complaint. It submits that the need to comply with s 18 would have significant implications for the ability of complaints-handling bodies to resolve matters informally or for those bodies who have limited statutory powers to require answers to questions.10
7.11 The Ombudsman has suggested that this could be remedied by excluding public sector agencies from compliance with s 18 if the information is disclosed to an investigative agency in order that it may exercise its complaints-handling or investigative functions.11
PRIVACY CODES OF PRACTICE - PPIPA PART 3; HRIPA PART 5
7.12 The precise scope of codes of practice may need clarifying. Section 29(2) broadly allows a code of practice “to regulate” the collection, use and disclosure of, and procedures for dealing with, personal information held by an agency. On the other hand, s 30(1) allows a code of practice “to modify the application of” the IPPs.
7.13 This gives rise to an ambiguity, as it would seem that s 29(2) allows a privacy code of practice to do more than merely modify the application of the IPPs to an agency. It is arguable that a disclosure of personal information authorised by a code of practice may constitute a “lawful excuse” for the purposes of many secrecy provisions.12
ISSUE 48
Should the interaction of s 29(2) of the Privacy and Personal Information Protection Act 1998 (NSW) with s 30(1) of that Act be clarified?
ISSUE 49
Should the precise scope of a privacy code of practice be clarified?
THE MEANING OF “PERSON” IN s 37 AND 38 OF PPIPA
7.14 The meaning of the word “person” in Part 4 of PPIPA, particularly in s 37 and 38, may need clarification and its use in those sections made consistent. Sections 59 and 60 in Part 7 of HRIPA are equivalent sections. However, HRIPA differs from PPIPA in one small but significant way, which is described below.
7.15 Section 37 of PPIPA gives a general authority to the Privacy Commissioner “in connection with the exercise of [his or her] functions” to “require any person or public sector agency” to give or produce certain statements or documents.13 Section 38(4) of PPIPA, on the other hand, relates to an inquiry or investigation being conducted by the Privacy Commissioner. It provides that, in those circumstances, the Privacy Commissioner must set aside any requirement to give or produce a statement or document “if it appears to the Privacy Commissioner that the person concerned does not consent …” No mention is made of a “public sector agency”. Sections 38(5) and (6) also only refer to a “person”. By contrast, s 59 and 60 of HRIPA both refer to a “person or organisation”.
7.16 The Crown Solicitor has noted that “[t]he purpose of PPIPA would suggest that ‘person’ in s 37 ought to have a wider meaning than a natural person, given the limited definition of ‘public sector agency’14 (and having regard to the definition of ‘person’ in s 21(1) of the Interpretation Act 1987)”.15 However, this is not necessarily what Parliament intended and it may be that the provisions are to be read narrowly so that the meaning of “person” is a “natural person”.
7.17 More importantly, it is difficult to see why, as a matter of fair operation, s 38(4) should not require the Privacy Commissioner to set aside a requirement to give a statement, produce a document or answer a question if an agency does not consent to compliance and could not be compelled in court proceedings to give or produce the evidence. It cannot be assumed that the reference to “person” in s 38(4) includes a representative/employee of a public sector agency as s 37 makes specific and separate reference to “public sector agency”. This interpretation is supported by the fact that HRIPA, drafted several years after PPIPA, makes s 60(4), the equivalent provision to s 38(4), apply specifically to a “person or organisation”.
ISSUE 50
Should the word “person” in s 37 and 38 of the Privacy and Personal Information Protection Act 1998 (NSW) be read as meaning a “natural person”? If so, should this be clarified in the legislation?
ISSUE 51
Should both s 37 and 38(4) of the Privacy and Personal Information Protection Act 1998 (NSW) apply to a “person or public sector agency”?
PUBLIC INTEREST DIRECTIONS - PPIPA s 41 ; HRIPA s 62
7.18 Section 41 of PPIPA and s 62 of HRIPA, respectively, allow the Privacy Commissioner to make a written direction that an agency/organisation is not required to comply with an IPP or HPP or a privacy code of practice or health privacy code of practice, or that the application of an IPP, HPP or code to an agency is to be modified, providing he or she is satisfied that the public interest in so directing outweighs the public interest in compliance with the IPP, HPP or code.
7.19 The Crown Solicitor has pointed out that s 41 of PPIPA contains no mechanism for amendment of a direction.16 Nor does s 62 of HRIPA. It would seem, therefore, that a direction, once issued, cannot be amended and a new direction must be issued, revoking the earlier one. The Privacy Commissioner could rely on s 48(1) of the Interpretation Act 1987 (NSW) for the power to do this.17 The question arises, however, whether it would not be simpler and clearer to include a sub-section in s 41 of PPIPA and in s 62 of HRIPA giving the Privacy Commissioner the power to amend an earlier direction.18
7.20 In addition, the Crown Solicitor has pointed out that, unlike privacy codes of practice, s 41 of PPIPA does not state that a direction can apply to a class of public sector agency.19 Again, this comment is applicable to s 62 of HRIPA. There is a view that the section cannot be read as encompassing a class of agency and the Commission agrees with this. The public interest question is integral to the exercise of the discretion to make a direction and would become too diluted if exempting an entire class of agency from compliance with an IPP, HPP or code was under consideration. We do not believe that Parliament intended the power given by s 41 and s 62 to be so broad. Nevertheless, we invite community response as to the interpretation of s 41 of PPIPA and s 62 of HRIPA and whether the section should be clarified, either to deny or allow application to a class of public sector agency/organisation.
ISSUE 52
(a) Should the intended application of s 41 of the Privacy and Personal Information Protection Act 1998 (NSW) and s 62 of the Health Records and Information Privacy Act 2002 (NSW) be clarified?
(b) Should the sections make clear that the Privacy Commissioner may make a written direction applying to a class of agency/organisation?
(c) Alternatively, should the sections make clear that the Privacy Commissioner may not make a written direction applying to a class of agency/organisation?
COMPLAINTS UNDER s 45 OF PPIPA
Complaints on behalf of the individual
7.21 Section 45(1) of PPIPA does not identify who may make a complaint (“a complaint may be made”) and does not appear to limit its application to the individual concerned. However, a Privacy NSW Complaints Protocol was issued stating that the Privacy Commissioner had received legal advice to the effect that the section is limited to an individual whose privacy has been violated.20 This would include a third party acting on behalf of the individual, but not a third party whose privacy has not been affected, such as a “whistleblower”.
Criteria to be applied by the Privacy Commissioner
7.22 Section 45(1) of PPIPA provides that a “complaint may be made to (or by) the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual”. The Act provides no guidance as to what matters the Privacy Commissioner may take into account in assessing and dealing with complaints under s 45(1), although these are set out in detail in the Privacy NSW Complaints Protocol.
7.23 The Crown Solicitor suggests that what might constitute “violation of” and “interference with” an individual’s privacy could usefully be clarified.21 One possibility is to model standards for assessing the alleged violation or interference on the Data Protection Principles. However, the counter argument is that the Data Protection Principles should not be used as a substitute for the application of the test in s 45(1),22 as they, and the analogous IPPs, appear to represent different notions of privacy. It seems unlikely that Parliament would have intended that the obligations and prohibitions applied to public sector agencies by the IPPs could be indirectly applied to other persons through s 45(1).
ISSUE 54
Should the meaning of “violation of” and “interference with” an individual’s privacy in s 45(1) of the Privacy and Personal Information Protection Act 1998 (NSW) be clarified?
ISSUE 55
Should the legislation provide guidelines as to what can be taken into account in determining whether there has been a “violation of, or interference with, the privacy of an individual”?
Relationship between s 45 and s 36(2)(k) of PPIPA
7.24 Section 36(2)(k) of PPIPA sets out one of the Privacy Commissioner’s functions as being “to receive, investigate and conciliate complaints about privacy related matters”. Section 45(1) of PPIPA provides that “a complaint may be made to (or by) the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual”.
7.25 It is unclear how these sections fit together; in particular, whether or not they provide independent sources of power. If the sections should not be regarded as separate and independent sources of power, the question remains as to how to reconcile the broad and milder wording of s 36(2)(k), which only requires that a matter be privacy related, and the more specific language of s 45(1), which requires a “violation of” or “interference with” privacy. The Commission is interested to receive submissions on whether the differences between the sections have caused difficulties or uncertainties in their application, to determine whether clarification is called for.
ISSUE 56
(a) Does the interaction between, and operation of, s 45 and 36(2)(k) of the Privacy and Personal Information Protection Act 1998 (NSW) need to be clarified?
(b) Should these sections be regarded as together regulating the Privacy Commissioner’s functions and powers with respect to complaints or as two independent sources of the Privacy Commissioner’s powers?
Application of s 51 of PPIPA to withdrawn complaints
7.26 Section 51 of PPIPA provides that, even though the Privacy Commissioner declines to deal with a complaint, or refers the complaint to a relevant authority, the Privacy Commissioner may still conduct an inquiry or investigation into any general issues raised by the complaint.
7.27 The Crown Solicitor has suggested that it is unclear whether, if a complaint is withdrawn under s 45(6) of PPIPA, the Privacy Commissioner can still conduct an inquiry or investigation into the complaint pursuant to s 51.23 The Crown Solicitor points out that s 51 expressly deals with two of the scenarios that can follow the making of a complaint (the Privacy Commissioner declines to deal with the complaint - s 46(3); or refers it to a relevant authority – s 47), but not the other two possible scenarios (the complaint is withdrawn – s 45(6); it is dealt with under s 48(1)). Given the express wording of s 51, the Commission is of the view that it is not intended to apply to other scenarios, in particular, where a complaint is withdrawn. At this stage, we see no need for amendment of this section, but invite submissions on the point.
Report to Parliament under s 65 of PPIPA
7.28 Section 65 of PPIPA allows the Privacy Commissioner to make a “special report” to Parliament “on any matter arising in connection with the discharge of his or her functions”. The Privacy Commissioner clearly has a basis for making a report under s 65 in relation to a complaint as his or her functions include “to receive, investigate and conciliate complaints about privacy related matters (including conduct to which Part 5 applies)”.24 Nevertheless, the Crown Solicitor has suggested that it is unclear whether s 65 extends to allowing a report relating to a complaint made under s 45.25
7.29 It could be argued that it does not, on the basis that s 50 already expressly deals with reports that the Privacy Commissioner may make in relation to a complaint. However, s 50 allows the Privacy Commissioner to make a report as to any findings or recommendations made by him or her but only in relation to a complaint dealt with by him or her. Section 46, on the other hand, envisages that not all complaints made to or by the Privacy Commissioner under s 45 will be dealt with by the Privacy Commissioner. In that case, without s 65, the Privacy Commissioner may be precluded from reporting to Parliament on a matter of concern to him or her arising out of the complaint. There can be no merit in, or justification for, this consequence.
7.30 In addition, the Commission is not convinced that a power to make a “special report” to Parliament is inconsistent with the discretion given to the Privacy Commissioner under s 50 to “make a written report as to any findings or recommendations … in relation to a complaint”. Nor does s 50 appear to preclude the making of a special report to Parliament in addition to a report made under that section. More particularly, the primary purpose of s 50 is impliedly to inform the complainant of the outcome of the complaint and also to inform “such other persons or bodies as appear to be materially involved in matters concerning the complaint”.26 While Parliament may be interested in matters of general public interest and concern that arise out of the complaint, strictly speaking, Parliament could not be said to be “materially” interested.
ISSUE 58
(a) Is it correct to conclude that the Privacy Commissioner has the power to make a “special report” under s 65 of the Privacy and Personal Information Protection Act 1998 (NSW) in relation to a complaint made under s 45, in addition to the power to make a report under s 50 of that Act?
(b) Should the legislation be amended to clarify the Privacy Commissioner’s powers under s 65 and s 50 of the Privacy and Personal Information Protection Act 1998 (NSW) to make a report relating to a complaint made under s 45?
REVIEW OF CONDUCT BY THE ADT - PPIPA PART 5; HRIPA s 21
Nature of the jurisdiction
7.31 Does the ADT hear PPIPA matters in its original or review jurisdiction? The ADT may make “original decisions” or “review reviewable decisions”.27 An “original decision” is “a decision of the Tribunal made in relation to a matter over which it has jurisdiction under an enactment to act as the primary decision-maker”.28 A “reviewable decision” is “a decision of an administrator that the Tribunal has jurisdiction under an enactment to review”.29
7.32 The relevance of determining this question is that the ADT has different powers available to it depending on the jurisdiction. For example, in its “review” jurisdiction, but not in its “original” jurisdiction, the ADT has the power to award costs. There are also some differences in the rules that apply to each jurisdiction.
7.33 Although the ADT has held that applications to it under PPIPA fall within the ADT’s review jurisdiction,30 it has observed that the legislative intention of PPIPA “is not consistent”31 and has acknowledged that there is a lack of clarity on the issue.32 The ADT has also observed that “the PPIPA jurisdiction does not fit comfortably into either category”.33
7.34 By way of comparison, the Note to s 48(1) of HRIPA clearly states that the ADT exercises “original” jurisdiction when hearing applications for an inquiry into a complaint made to the Privacy Commissioner under that Act.
7.35 The Crown Solicitor has raised a possible argument that because s 55 of PPIPA confers a right to apply to the ADT for a review of the “conduct that was the subject of the application [for internal review] under section 53”,34 and not the agency’s determination, there has been no “reviewable decision”.35
7.36 On one view, it is difficult to see how s 63 of the Administrative Decisions Tribunal Act 1997 (NSW) (“ADT Act”) can be applied to a review of “conduct”. Section 63 provides that in determining an application for review of a reviewable decision, the ADT is to decide what is “the correct and preferable decision”. The counterargument is that, as the definition of “decision” in s 6(1)(g) of the ADT Act includes “doing or refusing to do any other act or thing”, this is wide enough to include the types of conduct set out in s 52(1) of PPIPA. Further, “conduct”, as described in Part 5 of PPIPA may be a “decision” or some act or omission. As well, a public sector agency can be said to be an “administrator” for the purpose of s 8 of the ADT Act.36
7.37 Whether the jurisdiction is classified as “original” or “review”, the ADT is “strongly of the view” that cases before it “need to be approached in a way that is equivalent to how [it handles] ‘merits review’ work”.37 It does not accept the view that “the merits review jurisdiction can only apply to reviewable decisions”.38 However, it is concerned that if the jurisdiction is classified as being “original”, it would follow that “a civil litigation model should apply”.39 It points out that, in reality, cases brought before the ADT under PPIPA deal with the administrative conduct of an agency, which, in the ADT’s view, is no different from putting in issue an administrative decision. In that case, the same protocols should apply, such as: that no burden of proof rests on one party over another; that the ADT’s task is to determine what the “correct and preferable” approach might have been; and to do so having regard to the IPPs.40
ISSUE 59
(a) Should s 55 of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to clarify whether an application to the Administrative Decisions Tribunal is heard in its original or review jurisdiction?
(b) Should the jurisdiction be specified as being “review”?
Absence of a limitation period for review by the ADT
7.38 While an application for internal review by an agency must be made within six months from the time the applicant became aware of the conduct complained of,41 there is no time limit on applying to the ADT for review of an internal review pursuant to s 55 of PPIPA.42 Under HRIPA, a person who has made a complaint against a private sector person to the Privacy Commissioner can apply to the ADT for an inquiry into the complaint, providing this is done within 28 days after: receiving the Privacy Commissioner’s report; or a day nominated in the report as the day after which an application may be made.43
7.39 In the Crown Solicitor’s view, the absence of a limitation period for review under PPIPA has the potential to prejudice an agency, particularly as the ADT does not enforce any rule that the applicant bears the onus of proof.44 It considers that the rule that neither the applicant nor the respondent agency carries a burden of proof to prove or disprove a fact applies to its review proceedings.45 Theoretically, an applicant could apply to the ADT years after an agency has carried out an internal review, and with the applicant bearing no onus of proving or disproving facts, the agency is faced with considerable difficulty producing witnesses and documentation to defend its conduct.
7.40 The ADT itself supports the introduction of a time limit on filing an application for review in the Tribunal.46 It suggests that 60 days after completion of the internal review would be an appropriate time limit. Concurrently with such an amendment, the ADT submits that a provision should be added allowing a person who lodges a complaint with the Privacy Commissioner pursuant to s 45 of PPIPA within time to preserve a right to apply to the ADT for external review until after the s 45 process is completed.47 The ADT also advocates allowing out-of-time requests for an internal review.48
PROPOSAL 18
The Privacy and Personal Information Protection Act 1998 (NSW) should be amended to include a limitation period for application for review by the Administrative Decisions Tribunal of an internal review. This should provide that an application to the Administrative Decisions Tribunal for external review of a complaint must be made within 60 days after the applicant:
(a) is notified that the Privacy Commissioner refuses to investigate the conduct complained of; or
(b) receives a report of the results of the Privacy Commissioner’s investigation.
ISSUE 60
Should s 53(3) of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to include a provision allowing a person to request internal review of conduct outside the six-month limitation period?
The ADT’s powers on review
7.41 Where an application has been made for internal review of an agency’s conduct, s 55(2) of PPIPA provides that the ADT may decide not to take any action on the matter or may make any of the orders listed “on reviewing the conduct”. The section does not require that the ADT make a finding that the conduct has breached the provisions of PPIPA before granting one of the listed remedies.
7.42 The Crown Solicitor has argued that it cannot be implied that a reference to “conduct” in s 55(2) is a reference to conduct in breach of an IPP or a privacy code of practice, or that it is a disclosure of private information kept in a public register, (s 51(1) conduct)49 because s 52(2) defines “conduct” to include “alleged conduct”.50
7.43 The Crown Solicitor has concluded that it is likely that s 55(2) would be construed purposively so that an order could only be made in respect of infringing conduct and not merely alleged conduct, but that this should be clarified.51 The Commission agrees that the effect of the section should be to give the ADT power to make orders only on finding that conduct of a type specified in s 52(1) of PPIPA has occurred, and not merely following his or her review of alleged conduct. We agree that the section should be amended to clarify this.
7.44 We note that s 53(7) of PPIPA is similarly worded so as to permit an agency that undertakes internal review of its conduct to take remedial action “following the completion of the review”, without reference to the making of any findings. However, there are not the same implications as with s 55(2) as it is the agency’s own decision to make amends for its own conduct, whether or not it accepts that the conduct has caused harm. This is in contrast to the possibility of a tribunal making orders against an agency, despite there being no finding of misconduct.
Role of the Privacy Commissioner
7.45 The ADT has drawn attention to an argument that the Privacy Commissioner does not have a right to appear before the Appeal Panel of the ADT. Although the Appeal Panel has rejected this argument, the ADT submits that it would perhaps be desirable to amend PPIPA to clarify this point.52 The Commission agrees that, as s 55(7) of PPIPA makes it clear that the Privacy Commissioner has a right to appear in proceedings before the ADT, there should be legislative consistency in s 56.
Commissioner Determination model vs Tribunal Determination model
7.46 Looking at the resolution of complaints from a broad perspective, the ADT questions whether a final determination by the Tribunal is the best model.53 Although the ADT prefers final determination by the Privacy Commissioner, it acknowledges that there is divided opinion on this question. The Commissioner Determination model has been adopted in privacy legislation in the Canadian federal jurisdiction and in a number of Canadian provinces and in Freedom of Information legislation in Queensland and Western Australia. The Tribunal Determination model has been adopted in privacy legislation in the Commonwealth Privacy Act, in New South Wales, Victoria, the United Kingdom and New Zealand.
7.47 The ADT considers that the specialisation of the office of Privacy Commissioner, and the access to more flexible resources that goes with the office, is the main advantage of the Commissioner Determination model.54 The current President of the ADT was formerly the Federal Privacy Commissioner and is in a unique position to compare his direct experience with each model of final determination of complaints. He relates that, as Federal Privacy Commissioner, he had an experienced investigative staff that had credibility with the agencies “and knew how to deal neutrally and impartially with complainants and agencies”.55 He observes that “this was an agency-driven approach to the task that is left in Tribunals largely to the parties”.56
7.48 By contrast, the ADT has no investigative staff and “does not undertake full, professional investigation of complaints”. (It could not have an activist investigative arm if public confidence in the ADT to be independent and detached is to be maintained, even if limited to privacy cases.)57
7.49 The NSW Department of Health has expressed concerns with the current Tribunal Determination model, arguing that the process, compared with complaints that are mediated, is complicated and expensive.58 It believes that the incidence of self-represented litigants in the ADT protracts proceedings. In its experience, many of the cases that end up in the ADT are the minor ones where the Department of Health is disputing a technical point, whereas relatively major cases are more often mediated.
7.50 Changing PPIPA’s Part 5 review of conduct process to give final determination of a complaint to the Privacy Commissioner rather than the ADT would be a significant departure. However, this is the opportunity to make major reforms and accordingly the Commission puts forward the issue for debate.
FOOTNOTES
1. Privacy and Personal Information Protection Act 1998 (NSW) s 24(4): “The exemptions … extend to any public sector agency … who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.”
2. See Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [3.44].
3. See HPPs 4(4), 5(2), 6(2), 7(2), 8(4), 10(2), 11(2) and 15(2).
4. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [3.45].
5. HW v Commissioner of Police, New South Wales Police Service [2003] NSWADT 214, [64].
6. Director General, Department of Education and Training v MT [2005] NSWADTAP 77, [84]. See also KD v Registrar, New South Wales Medical Board [2004] NSWADT 5, [34]; and HW v Commissioner of Police [2003] NSWADT 214.
7. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [3.47].
8. Section 13AA(1) of the Ombudsman Act 1974 (NSW) provides: “The Ombudsman may make preliminary inquiries for the purpose of deciding whether to make particular conduct of a public authority the subject of an investigation under this Act.
9. NSW Ombudsman, Submission to the Review of the Privacy and Personal Information Protection Act 1998 (April 2004), 26.
10. NSW Ombudsman, Submission to the Review of the Privacy and Personal Information Protection Act 1998, 26.
11. NSW Ombudsman, Submission to the Review of the Privacy and Personal Information Protection Act 1998, 26.
12. The qualification in s 22 of the Privacy and Personal Information Protection Act 1998 (NSW), which provides that nothing in the provisions relating to exemptions authorises an agency to do anything otherwise prohibited, does not apply to privacy codes of practice.
13. This authority is qualified by s 37(2) of the Privacy and Personal Information Protection Act 1998 (NSW).
14. See Privacy and Personal Information Protection Act 1998 (NSW) s 3.
15. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [3.65]. “Person” includes an individual, a corporation and a body corporate or politic: Interpretation Act 1987 (NSW) s 21(1).
16. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [3.68].
17. Section 48(1) provides: “If an Act or instrument confers or imposes a function on any person or body, the function may be exercised (or, in the case of a duty, shall be performed) from time to time as occasion requires.”
18. Compare s 31(7) of the Privacy and Personal Information Protection Act 1998 (NSW).
19. Crown Solicitor’s Office, New South Wales, Advice(5 October 2007), [3.70].
20. Privacy NSW Complaints Protocol (issued 22 July 2002, revised July 2006), [2.2.2].
21. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [3.57].
22. The test being that the Privacy Commissioner may make or receive a complaint if there has been a “violation” or “interference”.
23. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [3.61].
24. Privacy and Personal Information Protection Act 1998 (NSW) s 36(2)(k). Part 5 of the Privacy and Personal Information Protection Act 1998 (NSW) deals with internal reviews of conduct by public sector agencies.
25. Crown Solicitor’s Office, New South Wales, Advice(5 October 2007), [3.63].
26. Privacy and Personal Information Protection Act 1998(NSW) s 50(2).
27. Administrative Decisions Tribunal Act 1997 (NSW) s 36(1).
28. Administrative Decisions Tribunal Act 1997 (NSW) s 7.
29. Administrative Decisions Tribunal Act 1997 (NSW) s 8.
30. Fitzpatrick v Chief Executive Officer, Ambulance Service of NSW [2003] NSWADT 132. The ADT found a number of indications that this is what Parliament intended: s 52(4) of the Privacy and Personal Information Protection Act 1998 (NSW) ousts the application of s 53 (Internal reviews) of the Administrative Decisions Tribunal Act 1997 (NSW); s 55(3) of the Privacy and Personal Information Protection Act 1998 (NSW) provides that nothing in s 55 limits the ADT’s powers under div 3, pt 3, ch 5 of the Administrative Decisions Tribunal Act 1997 (NSW); the ADT only has power to award costs in its review jurisdiction.
31. Fitzpatrick v Chief Executive Officer, Ambulance Service of NSW [2003] NSWADT 132, [12].
32. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998 (26 May 2004), 3.
33. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 10.
34. Privacy and Personal Information Protection Act 1998 (NSW) s 55(1).
35. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [3.76].
36. Section 9 of the Administrative Decisions Tribunal Act 1997 (NSW) defines an “administrator” as “the person or body that makes (or is taken to have made) the decision under the enactment concerned”.
37. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 11.
38. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 11.
39. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 11.
40. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 11.
41. Privacy and Personal Information Protection Act 1998 (NSW) s 53(3)(d).
42. Fitzpatrick v Chief Executive Officer, Ambulance Service of NSW [2003] NSWADT 132, [19]: “Even applying a purposive approach to statutory interpretation, it is not possible to read into s 55 of the [Administrative Decisions Tribunal Act 1997 (NSW)], or any other provision, a time limit for applications to the Tribunal under the PPIP Act. There is only one possible construction of the provisions set out above, and that is that there are no time limits for the lodging of privacy applications with the Tribunal.”
43. Health Records and Information Privacy Act 2002 (NSW) s 48.
44. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [3.81].
45. See GR v Director-General, Department of Housing [2004] NSWADTAP 26, [35] and [36]. Although, an application may be dismissed if the application produces insufficient evidence of circumstances that might warrant a finding of unlawful conduct where those circumstances are within the knowledge of the applicant but not known to the agency: FY v Commissioner, Health care Complaints Commission[2003] NSWADT 128.
46. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 9.
47. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 9. See s 54 of the Freedom of Information Act 1989 (NSW).
48. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 9.
49. Section 52(1) of the Privacy and Personal Information Protection Act 1998 (NSW) specifies that this is the conduct to which Part 5 applies.
50. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [3.82].
51. Crown Solicitor’s Office, New South Wales, Advice (5 October 2007), [3.82].
52. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 9.
53. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 7.
54. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 7.
55. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 7.
56. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 7.
57. New South Wales, Administrative Decisions Tribunal, Submission to Attorney General’s Department Review of the Operation of the Privacy and Personal Information Protection Act 1998, 7.
58. Department of Health, Consultation (3 December 2007).
