List of proposals and issues

Updates and background for this project (Digest)

Chapter 1

PROPOSAL 1

Reforms of New South Wales privacy law should aim to achieve national uniformity.

New South Wales should co-operate with the Commonwealth in the development of privacy principles that are capable of application in all New South Wales privacy legislation.

New South Wales legislation should only apply to the handling of personal information by public sector agencies.

PROPOSAL 4

The Privacy and Personal Information Protection Act 1998 (NSW) should be restructured:
• to locate the IPPs and exemptions in a schedule to the Act; and
• to reduce the Act’s level of detail and complexity to resemble more closely that of the Health Records and Information Privacy Act 2002 (NSW).

The Health Records and Information Privacy Act 2002 (NSW) should be amended so that the handling of health information by private sector organisations is regulated under the Privacy Act 1988 (Cth).

PROPOSAL 6

All State owned corporations should be covered by privacy legislation.

The Privacy and Personal Information Protection Act 1998 (NSW) should be amended to provide that where a public sector agency contracts with a non-government organisation to provide services for government, the non-government organisation should be contractually obliged to abide by the IPPs and any applicable code of practice in the same way as if the public sector agency itself were providing the services.

PROPOSAL 8

If the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) are merged, the provision governing collection of personal information directly from an individual should contain the two exceptions currently provided for in IPP 2 together with a third exception currently provided for in HPP 3, namely that information must be collected from the individual unless it is “unreasonable or impractical to do so”.

If two separate Acts continue to operate:

HPP 3 should be amended to allow an individual to authorise collection of his or her personal information by an organisation from someone else and to allow collection of information about an individual under 16 years from a parent or guardian; and

IPP 2 should be amended by introducing a further exemption, namely, that information must be collected from the individual unless it is “unreasonable or impractical to do so”.

IPPs 3 and 4 should be amended to stipulate that the requirements imposed by those sections apply whether the information is collected directly from the individual to whom the information relates or indirectly from someone else.

IPPs 3 and 4 should be amended to clarify that the word “collects” means, in relation to information derived from observations of, or conversations with, an individual, the point at which information is recorded.

IPP 5 and HPP 5 should be amended to include a requirement for the secure collection of personal information.

The meaning and effect of s 20(5) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 22(3) of the Health Records and Information Privacy Act 2002 (NSW), and their application to the IPPs and HPPs respectively, should be clarified.

Section 19(2) of the Privacy and Personal Information Protection Act 1998 (NSW) should be redrafted in line with HPP 9 and the proposed UPP 11. Alternatively, if the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) are to become one Act, HPP 9, redrafted to incorporate elements of the proposed UPP 11, is to be preferred over s 19(2) to regulate transborder data flows and transfer of information to Commonwealth agencies.

If the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) are to become one Act, a privacy principle regulating the use and disclosure of identifiers should be contained in the new Act. If the two Acts are to remain separate, the Privacy and Personal Information Protection Act 1998 (NSW) should be amended by the addition of a further IPP regulating the use and disclosure of identifiers.

PROPOSAL 16

Section 25(b) of the Privacy and Personal Information Protection Act 1998 (NSW) should be amended to read as follows:

“A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if:

…

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act (including the State Records Act 1998) or any other law.”

Section 41 of the Privacy and Personal Information Protection Act 1998 (NSW) and s 62 of the Health Records and Information Privacy Act 2002 (NSW) should be amended to give the Privacy Commissioner the power to amend an earlier direction.

The Privacy and Personal Information Protection Act 1998 (NSW) should be amended to include a limitation period for application for review by the Administrative Decisions Tribunal of an internal review. This should provide that an application to the Administrative Decisions Tribunal for external review of a complaint must be made within 60 days after the applicant:

(a) is notified that the Privacy Commissioner refuses to investigate the conduct complained of; or

(b) receives a report of the results of the Privacy Commissioner’s investigation.

Section 55(2) of the Privacy and Personal Information Protection Act 1998 (NSW) should be amended to provide that the Administrative Decisions Tribunal may make any one or more of the orders listed in subsections (a)-(g) on finding that the public sector agency’s conduct the subject of the review was conduct that:
• contravened an IPP that applied to the agency;
• contravened a privacy code of practice that applied to the agency; or
• amounted to disclosure by the agency of private information kept in a public register.

Section 56 of the Privacy and Personal Information Protection Act 1998 (NSW) should be amended to include a provision that the Privacy Commissioner has a right to appear and be heard in any proceedings before the Appeal Panel of the Administrative Decisions Tribunal.

Chapter 1

ISSUE 1

(a) What are the impediments to information sharing in New South Wales?

(b) How should they be resolved?

To what extent are the criminal sanction provisions of the legislation considered in this paper adequate and satisfactory?

ISSUE 3

Should the Privacy and Personal Information Protection Act 1998 (NSW) contain an objects clause? If so, how should that clause be drafted?

If health information held by the private sector were to be regulated by the Privacy Act 1988 (Cth), should New South Wales continue to have two separate information privacy statutes?

What reasons would there be for the continued existence of the Health Records and Information Privacy Act 2002 (NSW) if it only regulated public sector agencies?

ISSUE 6

(a) Should “publicly available information” under the Privacy and Personal Information Protection Act 1998 (NSW) and “generally available information” under the Health Records and Information Privacy Act 2002 (NSW) be exempted altogether from the definition of “personal information” in those Acts?

(b) Should IPP 2 and HPP 2 alone apply to “publicly available information” and “generally available information”, but not other IPPs and HPPs?

(a) Is the meaning of “publicly available information” the same as “generally available information”? Is it appropriate that they have different meanings in the context of general information and health information?

(b) If two different phrases are to remain, should the definitions of “publicly available information” and “generally available information” be clarified in the legislation?

(a) Should the exemptions in any or all of the following provisions remain or are they made unnecessary by s 20(5) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 22(3) of the Health Records and Information Privacy Act 2002 (NSW) and Schedule 1 to the Freedom of Information Act 1989 (NSW):
• s 4(3)(e) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(h) of the Health Records and Information Privacy Act 2002 (NSW);
• s 4(3)(i) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(l) of the Health Records and Information Privacy Act 2002 (NSW); and/or
• s 4(3)(ja) of the Privacy and Personal Information Protection Act 1998 (NSW)?
(b) If any or all of the exemptions are to remain, should the information referred to in each provision be exempt from all the IPPs and HPPs or only some of them? Which, if any, IPPs and HPPs should apply to the information?

(c) If the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) are merged into one Act, how should the exemptions be worded if they are retained?

What is the rationale behind, and value of, the exception contained in s 4(3)(h) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(k) of the Health Records and Information Privacy Act 2002 (NSW) (information arising out of a complaint about conduct of police officers)?

Should a person who has made a complaint about police conduct be precluded from having access to their personal file in relation to the complaint process?

Should the police officer who is the subject of a complaint be able to access the information relating to the complaint?

Should some IPPs and HPPs but not others apply to information about an individual arising out of a complaint made under Part 8A of the Police Act 1990 (NSW)? If so, which ones should apply?

(a) Should the NSW Ombudsman be included among those agencies listed in s 27 of the Privacy and Personal Information Protection Act 1998 (NSW) and s 17 of the Health Records and Information Privacy Act 2002 (NSW) as being exempt from compliance with the IPPs?

(b) Even if the answer to this is “yes”, should the information referred to in s 4(3)(c), (d), (f) and (h) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(f), (g), (i) and (k) of the Health Records and Information Privacy Act 2002 (NSW) continue to be exempt from the definition of “personal information”?

Should the legislation continue to exempt from the definition of “personal information” information about an individual’s suitability for appointment or employment as a public sector official?

Should the exemption from the definition of “personal information” of information about an individual’s suitability for appointment or employment as a public sector official be restricted to information about a prospective employee, or also apply to information about an agency’s current employee?

Do s 4(3)(j) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(m) of the Health Records and Information Privacy Act 2002 (NSW) need amending to clarify their meaning and Parliament’s intention?

Should s 4(3)(j) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(m) of the Health Records and Information Privacy Act 2002 (NSW) be reworded to provide that they apply only to information that directly relates to suitability for recruitment, promotion, discipline and involuntary retirement?

(a) Should information contained in photographs or video images come within the definition of “personal information”?

(b) Should this depend on whether an individual’s identity is apparent or can reasonably be identified from the visual image?

(c) If the definition of “personal information” should include visual images, should this be clarified in the legislation?

(d) Should some of the IPPs, but not others, apply to visual images that contain personal information? If so, which ones should apply?

(a) Should the meaning of the phrase “or can reasonably be ascertained from the information or opinion” in s 4(1) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(1) of the Health Records and Information Privacy Act 2002 (NSW) be clarified?

(b) If so, should this be by an amendment to the legislation or should it be left to judicial construction or the publication of a Privacy Guideline?

Should s 3(1)(b) of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to define a “public sector agency” as “a body established or appointed for a public purpose by or under a NSW Act ” or, alternatively, “any public authority constituted by or under a NSW Act”?

Should s 4(1) of the Health Records and Information Privacy Act 2002 (NSW) be amended to define a “public sector agency” as “a body established or appointed for a public purpose by or under a NSW Act or an affiliated health organisation” or, alternatively, “any public authority constituted by or under a NSW Act or an affiliated health organisation”?

Should the meaning of “unsolicited” in s 4(5) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 10 of the Health Records and Information Privacy Act 2002 (NSW) be clarified?

If information is “unsolicited”, what IPPs or HPPs, if any, should apply to that information? Should all of the provisions of the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) apply to unsolicited information, except the collection IPPs and HPPs?

Should the meaning of, and distinction between, “administrative” and “educative” functions in s 27 of the Privacy and Personal Information Protection Act 1998 (NSW) and s 17 of the Health Records and Information Privacy Act 2002 (NSW) be more clearly defined?

Should the legislation explicitly provide that if a function is dual, the administrative function must be separately categorised?

Is the opportunity to complain to the Privacy Commissioner and challenge the categorisation of a function sufficient?

Should the Privacy and Personal Information Protection Act 1998 (NSW) contain express provisions for the general regulation of bodily privacy?

Should the Privacy and Personal Information Protection Act 1998 (NSW) contain express provision for breaches of territorial privacy?

If a statutory cause of action for invasion of privacy is to be enacted, what should be its relationship to the Privacy and Personal Information Protection Act 1998 (NSW)?

ISSUE 30

Should IPP 1 be amended to include a provision that a public sector agency must not collect personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, sexual activities or criminal record (defined as “sensitive information”) unless the collection is strictly necessary?

Should collection of sensitive information be allowed if necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person?

Should the Privacy and Personal Information Protection Act 1998 (NSW) be amended by introducing a provision equivalent to s 7 of the Health Records and Information Privacy Act 2002 (NSW) that an individual is incapable of doing an act authorised, permitted or required by the Health Records and Information Privacy Act 2002 (NSW) if that individual is incapable, by reason of age, injury, illness or physical or mental impairment, of understanding the nature of the act or communicating his or her intentions with respect to the act?

Should IPP 3 be amended to adopt the wording of HPP 4 or UPP 3.2, or some combination of the two?

Should IPP 9 and HPP 9 apply to personal information that consists of conclusions drawn, or opinions expressed, based on observations of, or conversations with, an individual, providing a record is made of those conclusions or opinions? If so, do these provisions require amendment to clarify this?

Does the effect of s 15(1) and (2) of the Privacy and Personal Information Protection Act 1998 (NSW) need clarification? If so, how should one or both sections be amended to reconcile their operation?

(a) Should “use” and “disclosure” be treated as one concept such as “processing”, or as a combined phrase such as in the proposed UPP 5, with the one set of privacy standards and exemptions applying?

(b) Alternatively, should the same privacy standards, and exemptions from those standards, contained in the HPPs apply equally to “use” and “disclosure” of information?

Is the correct interpretation of IPPs 10 and 11 and HPPs 10 and 11 that the relevant purpose is the one for which the agency/organisation collected it? If so, should the provisions be amended to clarify this?

Do IPPs 10 and 11 and HPPs 10 and 11 apply to unsolicited information? If not, should they apply?

Should the privacy principles include a principle in terms identical, or equivalent, to the proposed UPP 2.5?

(a) Should s 18(1)(b) of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to include the phrase “and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure”?

(b) Alternatively, should s 18(1)(b) be amended to delete the reference to s 10 and to provide instead that the individual must be made aware at the time the information is collected that information of that kind is usually disclosed to a third party?

Should disclosure of an individual’s criminal history and record be restricted under s 19 of the Privacy and Personal Information Protection Act 1998 (NSW)?

Should the meaning of the words “sexual activities” in s 19(1) of the Privacy and Personal Information Protection Act 1998 (NSW) be clarified?

Should s 19(1) of the Privacy and Personal Information Protection Act 1998 (NSW) be taken out of s 19 and placed within s 18?

Should the privacy principle regulating the use and disclosure of identifiers be in the same terms as HPP 12 or the proposed UPP 10, or some combination of the two?

ISSUE 45

Should s 24 of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to exempt an agency from compliance with IPPs 2, 3, 10 and 11 when the agency is disclosing personal information to an investigative agency for the purpose of that investigative agency carrying out its complaint handling or investigative functions?

(a) Is the correct interpretation of s 25(a) of the Privacy and Personal Information Protection Act 1998 (NSW) that it applies to cases where a statutory provision expressly refers to the relevant IPP and provides that an agency is authorised or required not to comply with it, or is a wider interpretation correct, such as adopted by the Administrative Decisions Tribunal in HW v Commissioner of Police, New South Wales Police Service?

(b) Should s 25(a) of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to clarify its application?

Should public sector agencies be exempted from compliance with s 18 of the Privacy and Personal Information Protection Act 1998 (NSW) if the information is disclosed to an investigative agency in order that it may exercise its complaints-handling or investigative functions?

Should the interaction of s 29(2) of the Privacy and Personal Information Protection Act 1998 (NSW) with s 30(1) of that Act be clarified?

Should the precise scope of a privacy code of practice be clarified?

Should the word “person” in s 37 and 38 of the Privacy and Personal Information Protection Act 1998 (NSW) be read as meaning a “natural person”? If so, should this be clarified in the legislation?

Should both s 37 and 38(4) of the Privacy and Personal Information Protection Act 1998 (NSW) apply to a “person or public sector agency”?

(a) Should the intended application of s 41 of the Privacy and Personal Information Protection Act 1998 (NSW) and s 62 of the Health Records and Information Privacy Act 2002 (NSW) be clarified?

(b) Should the sections make clear that the Privacy Commissioner may make a written direction applying to a class of agency/organisation?

(c) Alternatively, should the sections make clear that the Privacy Commissioner may not make a written direction applying to a class of agency/organisation?

Should s 45(1) of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to clarify that its application is limited to an individual whose privacy has been violated, or a person acting on behalf of the individual?

Should the meaning of “violation of” and “interference with” an individual’s privacy in s 45(1) of the Privacy and Personal Information Protection Act 1998 (NSW) be clarified?

Should the legislation provide guidelines as to what can be taken into account in determining whether there has been a “violation of, or interference with, the privacy of an individual”?

(a) Does the interaction between, and operation of, s 45 and 36(2)(k) of the Privacy and Personal Information Protection Act 1998 (NSW) need to be clarified?

(b) Should these sections be regarded as together regulating the Privacy Commissioner’s functions and powers with respect to complaints or as two independent sources of the Privacy Commissioner’s powers?

Does s 51 of the Privacy and Personal Information Protection Act 1998 (NSW) require clarification with respect to the Privacy Commissioner’s power to conduct an inquiry or investigation into any general issue raised by a withdrawn complaint?

(a) Is it correct to conclude that the Privacy Commissioner has the power to make a “special report” under s 65 of the Privacy and Personal Information Protection Act 1998 (NSW) in relation to a complaint made under s 45, in addition to the power to make a report under s 50 of that Act?

(b) Should the legislation be amended to clarify the Privacy Commissioner’s powers under s 65 and s 50 of the Privacy and Personal Information Protection Act 1998 (NSW) to make a report relating to a complaint made under s 45?

(a) Should s 55 of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to clarify whether an application to the Administrative Decisions Tribunal is heard in its original or review jurisdiction?

(b) Should the jurisdiction be specified as being “review”?

Should s 53(3) of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to include a provision allowing a person to request internal review of conduct outside the six-month limitation period?

Should Part 5 of the Privacy and Personal Information Protection Act 1998 (NSW) be amended to give final determination of a complaint to the Privacy Commissioner rather than the Administrative Decisions Tribunal?

ISSUE 62

Should the disclosure, access and correction provisions of the Privacy and Personal Information Protection Act 1998 (NSW) and the Freedom of Information Act 1989 (NSW) be rationalised?

Should the Freedom of Information Act 1989 (NSW) be the means by which the Privacy and Personal Information Protection Act 1998 (NSW) access rights are obtained?

Should the complaints-handling and review procedures of the Privacy and Personal Information Protection Act 1998 (NSW) and the Freedom of Information Act 1989 (NSW) that are not specifically related to the particular provisions of each Act be made consistent?

Should the administration of FOI and privacy legislation be amalgamated in one body?

(a) Should the following amendments, as suggested by the NSW Ombudsman, be made?
• repeal s 20(5) of the Privacy and Personal Information Protection Act 1998 (NSW);
• amend s 13, 14 and 15 and/or s 20 of the Privacy and Personal Information Protection Act 1998 (NSW) to provide that the IPPs contained in those sections do not apply to agencies to which the Freedom of Information Act 1989 (NSW) applies and that, in relation to those agencies, those principles are implemented through the relevant provisions of the Freedom of Information Act 1989 (NSW);
• amend the Freedom of Information Act 1989 (NSW) to clarify that agencies can adopt informal methods of releasing personal information to the applicant.
(b) Is there a better alternative to this solution?

What alternative amendments to the Privacy and Personal Information Protection Act 1998 (NSW), the Freedom of Information Act 1989 (NSW) and the Local Government Act 1993 (NSW) would address the current problems arising from the application of three different regulatory schemes?

(a) Should a provision be inserted into s 12 of the Privacy and Personal Information Protection Act 1998 (NSW), identical to that inserted into s 15(4) of that Act, providing that s 12, and any provision of a privacy code of practice that relates to the requirements set out in that section, apply to public sector agencies despite s 21 of the State Records Act 1998 (NSW)?

(b) Alternatively, should s 12 be clarified as taking effect subject to the prohibition in s 21 of the State Records Act 1998 (NSW)?