9. UPP 9: Access and correction

Updates and background for this project (Digest)

• Introduction
• NSWLRC Consultation Paper 3
• ALRC Discussion Paper 72
• ALRC Report 108
• Access
• Correction
• Refusal of request to access or correct
• Conclusion

INTRODUCTION

9.1 When an agency or organisation holds an individual’s personal information, legislation regulating the keeping of that information must also give the individual a right to access and, if necessary, correct it.

9.2 Privacy legislation is not the only legislation regulating the keeping of information, and hence rights to access and correct that information are given by Acts other than privacy Acts.¹ Rights of access and correction under these other Acts often interact, and sometimes clash, with privacy legislation. Key among such Acts is the freedom of information (“FOI”) legislation.²

9.3 The overlap between the access and correction provisions in the privacy legislation and those in other legislation creates complexity in both the Commonwealth and NSW, not only for agencies, but also for people seeking to access and correct personal information. As we pointed out in CP 3, the relevant provisions in both FOI and privacy Acts often regulate the same thing, but they do so in terms that are, at best, only similar or comparable to each other, not identical. At worst, it has been suggested that the differences between the Acts are such that it “is simply not possible” to obey them at the same time.³

9.4 The need to address this long standing confusion has been recognised in the past.⁴ In Report 108, the ALRC, although constrained by the fact that it did not want to recommend amendments to the Freedom of Information Act 1982 (Cth) (“FOI Act (Cth)”) given that it had a subsequent reference to review that Act,⁵ made some attempts to standardise access and correction procedures.

9.5 Since the publication of Report 108, however, several developments have taken place:

1. In July 2008, the federal government announced its intention to reform the FOI Act (Cth) in line with commitments made during the 2007 election. As a result, the Commonwealth Attorney-General asked the ALRC not to continue with its review of the Act. The ALRC had been due to report on its FOI reference by December 2008.⁶

2. Subsequently, in March 2009, the Commonwealth Cabinet Secretary and Special Minister of State announced the release of an exposure draft of the proposed Freedom of Information Amendment (Reform) Bill 2009 (Cth) and the Information Commissioner Bill 2009 (Cth). The “Companion Guide” to the exposure draft Bills indicated that the Government proposes to amend the Privacy Act 1988 (Cth) “to enact an enforceable right of access to, and correction of, an individual’s own personal information, rather than maintain this right through the FOI Act”. This would “make the Privacy Act the key Commonwealth law for the collection, handling, disclosure and access to personal information”. The deadline for submissions on this and accompanying Bills was 15 May 2009.⁷

3. On 6 May 2009, the Premier of NSW announced the release of a raft of public consultation drafts of Bills, including the Government Information (Public Access) Bill 2009 (NSW), the Government Information (Information Commissioner) Bill 2009 (NSW) and the Government Information (Public Access) (Consequential Amendments and Repeals) Bill 2009 (NSW). The deadline for submissions on these bills was 3 June 2009.⁸ The Bills passed through Parliament and the resulting Acts received Assent in June 2009. At the time of writing the three Acts were awaiting proclamation.

4. Simultaneously with the release of the draft bills, the government requested that the Commission “inquire and report on the legislation and policies governing the handling of access applications for personal information of persons other than the applicant under the Freedom of Information Act 1989 (NSW) or any successor legislation”. In undertaking this inquiry, the Commission is to have regard to “[t]he adequacy of the Freedom of Information Act 1989 (NSW) (and any successor legislation) concerning the handling of access applications for personal information in ensuring effective protection of individuals’ privacy”.⁹

5. Clause 1 of Schedule 1 of the Government Information (Public Access) (Consequential Amendments and Repeals) Act 2009 (NSW) transfers Part 4 of the Freedom of Information Act 1989 (NSW) (“FOI Act (NSW)”), which covers the amendment of records, to PPIPA. The Companion Guide to the Bills states that this has been done “pending the outcome of the Law Reform Commission’s review” of NSW privacy laws.¹⁰

9.7 In the following discussion, we consider UPP 9, and compare it to current NSW law. At this stage, the Commission considers that UPP 9 is an adequate access and correction principle. However, because the law in NSW is subject to change, we cannot comment with finality on the matter of the inclusion of UPP 9 within the privacy principles that ought to apply in NSW. This chapter proceeds on this basis.

NSWLRC CONSULTATION PAPER 3

9.8 The Commission’s comments on access and correction principles in CP 3 highlighted the overlap problems in NSW. The Commission outlined the submission of Privacy NSW that the usefulness of s 14 and 15, which are the access and correction principles of PPIPA, is diminished by s 20(5) of PPIPA, due to a “lack of clarity about the breadth of [their] application”.¹² The Commission identified that the lack of clarity lay with s 20(5) of PPIPA (and its equivalent s 22(3) of HRIPA), rather than with s 14 and 15 themselves.¹³

9.9 The Commission went on to say that the difficulty with s 20(5) is the uncertainty, and lack of guidance, as to what are “conditions” or “limitations” of the FOI Act (NSW).¹⁴ We noted arguments made by Privacy NSW that it was uncertain exactly how “the access and correction provisions of the FOI Act relate to or are imported into” PPIPA. Privacy NSW cited as examples of this uncertainty questions as to whether s 20(5) had the effect of importing into PPIPA from the FOI Act (NSW): the requirement to lodge a request in writing, or to pay prescribed fees; the Schedule 1 list of exempt documents; the Schedule 2 list of exempt bodies; or the consultation requirements in Part 3. Privacy NSW concluded that the benefits of the less formal approach to request access to, or amendment of one’s own personal information in IPPs 7 and 8 are lost “if the request must in effect become an FOI application”.¹⁵

9.10 As a result of these comments, the Commission made the following proposal:

The meaning and effect of s 20(5) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 22(3) of the Health Records and Information Privacy Act 2002 (NSW), and their application to the IPPs and HPPs respectively, should be clarified.¹⁶

(i) Should the disclosure, access and correction provisions of the Privacy and Personal Information Protection Act 1998 (NSW) and the Freedom of Information Act 1989 (NSW) be rationalised?

(ii) Should the Freedom of Information Act 1989 (NSW) be the means by which the Privacy and Personal Information Protection Act 1998 (NSW) access rights are obtained?¹⁸

9.13 However, a number of submissions supported the suggestion that the FOI Act (NSW) be the sole vehicle for the access and correction of personal information. The Department of Community Services indicated that it “strongly support[ed] the Ombudsman’s recommendation that the FOI Act be the means by which the PPIPA access and correction rights are obtained”.²⁵ The Department of Corrective Services also supported the proposal in issue 63, noting that it already encouraged those making applications to access or correct their personal information to do so in accordance with the FOI Act (NSW).²⁶ The State Records and the Law Society of NSW also supported the concentration of these provisions in the FOI Act (NSW).²⁷

9.14 The Commission will consider these submissions in its remaining review of privacy law and of access to personal information.

ALRC DISCUSSION PAPER 72

9.15 In DP 72, the ALRC noted that it had “considered various models for dealing with the overlap”.²⁸ It ultimately proposed that a new part covering access and correction of personal information held by agencies be inserted into the Privacy Act.²⁹ The ALRC further proposed that Part V of the FOI Act (Cth) be repealed, and a section inserted in its stead providing that access to and correction of personal information be dealt with under the Privacy Act.³⁰ In reaching these proposals, it concluded that the problem of “mixed” applications could be solved administratively by agencies.³¹ The ALRC felt that the abilities both to access and correct personal information were “fundamental privacy rights” and, as such, belonged in privacy legislation overseen by the Privacy Commissioner.³²

9.16 The model access and correction UPP initially formulated by the ALRC therefore only applied to personal information held by organisations, with the new part applying to agencies.³³ In this, it was singular among the UPPs, which, as explained in the Introduction, and as their name implies, were designed to provide a uniform framework for the handling of personal information.

ALRC REPORT 108

9.17 Two factors caused the ALRC to modify its DP 72 position in the final report. First, following the release of DP 72, the then Attorney-General, The Hon. Philip Ruddock, asked the ALRC to review the FOI Act (Cth). The ALRC decided that proposed changes to the FOI Act (Cth) should be left to that future review.³⁴ Secondly, submissions received by the ALRC in response to DP 72 objected to the proposal to keep the obligations for agencies separate from those for organisations, and also indicated that this approach would not address any of the issues arising from the overlap of privacy and FOI legislation.³⁵

9.18 In Report 108, therefore, the ALRC moved away from its DP 72 proposals. The ALRC expressed the view that the access and correction principle, UPP 9, should instead provide a “predominately unified” regime for access and correction.³⁶ The ALRC accepted the submissions it received on this point and noted that a “single regime” for the access and correction of documents, whether held by agencies or organisations, was the preferred approach.³⁷ Although amendments to the FOI Act (Cth) were not considered appropriate at this stage, the ALRC concluded that the problems caused by the overlap could be lessened in the interim by maintaining “the existing arrangements whereby individuals have rights of access to and correction of, personal information under both the Privacy Act and the FOI Act” but modifying “the provisions that deal with the interaction between the access and correction provisions under both Acts”.³⁸

9.19 Recommendation 29-1 of Report 108 therefore states that the UPPs should “contain a principle called ‘Access and Correction’ that, subject to Recommendation 29-2, applies consistently to agencies and organisations”.³⁹ Recommendation 29-2 states that, where personal information is held by an agency, any exemptions to the general rule that access must be provided should be those found in relevant Commonwealth law but, where it is held by an organisation, the applicable exemptions should be those that currently appear in NPP 6.⁴⁰

9.20 As is examined in more detail below, UPP 9 provides that the exemptions contained within the FOI Act (Cth) relating to when agencies do not have to provide access to documents in their possession still apply to personal information.⁴¹ A separate set of exemptions, applicable only to organisations, is then set out within the UPP itself. However, the ALRC has recommended that the FOI provisions relating to procedure for access and correction (or amendment as it is known under the FOI Act (Cth)),⁴² and also the limitations placed on the amendment of personal information by Part V of the FOI Act (Cth), should no longer apply to requests for correction of personal information made under the Privacy Act. Yet it will remain possible to make an application for access or correction of personal information under the FOI Act (Cth) and the provisions of that Act will, of course, still apply to such applications.

9.21 As a result, UPP 9 does not, and indeed cannot, entirely address the problems arising from the overlap between the Privacy Act and the FOI Act (Cth). Further work will need to be done in this area at the Commonwealth level in order to achieve a clear and consistent regime for the access and correction of personal information.

9.22 In Report 108, the ALRC speculated that the then anticipated review of the FOI Act “could consider amending the FOI Act so that it no longer regulates access to, and correction of, personal information and is limited to regulating access to information about third parties and deliberative processes of government”.⁴³ Other options that such a review might consider could be the amendment of the FOI Act (Cth) “to provide a simpler and more user-friendly process” for the access and correction of personal information, the amendment of the exemptions to access under the FOI Act (Cth) and the “expansion of the correction rights under the FOI Act to accord with those under the Privacy Act”.⁴⁴ These are all options that the NSWLRC might explore in our future consideration of these issues.

9.23 A further consequence of UPP 9 in its current form is that, if the States and the Commonwealth continue to have different FOI regimes, then, even if they adopt UPP 9, its effect will be different in practice. In Report 108, the ALRC noted a submission to DP 72 in relation to the proposal to amend the FOI Act (Cth) and the Privacy Act which the ALRC summarised as follows:

National Legal Aid submitted that the proposal has implications in relation to the national consistency of privacy laws relating to the federal and state public sectors. It noted that some state privacy laws are subordinated to freedom of information laws and access to personal information is subject to FOI exemptions.⁴⁵

ACCESS

UPP 9

9.25 UPP 9 provides as follows in respect of access:

9.1 If an agency or organisation holds personal information about an individual and the individual requests access to the information, it must respond within a reasonable time and provide the individual with access to the information, except to the extent that:

Where the information is held by an agency:

(a) the agency is required or authorised to refuse to provide the individual with access to that personal information under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents; or

Where the information is held by an organisation:

(b) providing access would be reasonably likely to pose a serious threat to the life or health of any individual;

(c) providing access would have an unreasonable impact upon the privacy of individuals other than the individual requesting access;

(d) the request for access is frivolous or vexatious;

(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings;

(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations;

(g) providing access would be unlawful;

(h) denying access is required or authorised by or under law;

(i) providing access would be likely to prejudice an investigation of possible unlawful activity;

(j) providing access would be likely to prejudice the:


(i) prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

(ii) enforcement of laws relating to the confiscation of the proceeds of crime;

(iii) protection of the public revenue;

(iv) prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

(v) preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;

by or on behalf of an enforcement body; or


(k) an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

9.2 Where providing access would reveal evaluative information generated within the agency or organisation in connection with a commercially sensitive decision-making process, the agency or organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

Note: The mere fact that some explanation may be necessary in order to understand information should not be taken as grounds for withholding information under UPP 9.2.

9.3 If an agency or organisation is not required to provide an individual with access to his or her personal information it must take such steps, if any, as are reasonable to provide the individual with as much of the information as possible, including through the use of a mutually agreed intermediary.

9.4 If an organisation charges for providing access to personal information, those charges:


(a) must not be excessive; and

(b) must not apply to lodging a request for access.

Note: Agencies are not permitted to charge for providing access to personal information under UPP 9.4.


9.5 An agency or organisation must provide personal information in the manner requested by an individual, where reasonable and practicable.

Personal information held by agencies

9.26 Under the Privacy Act, Principle 6 regulates access to personal information in the possession of Commonwealth agencies. It states:

Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

Personal information held by organisations

9.27 Where personal information is held by organisations, the relevant privacy principle is NPP 6, which simply provides that:

If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual.

How and why is UPP 9 different from current Commonwealth law relating to the access of personal information?

9.29 In relation to access, UPP 9 is, for the most part, simply a hybrid of Principle 6 and NPP 6. While it does depart from the current access principles in a number of ways, these changes are not significant. The following paragraphs describe the changes and the rationale behind them.

General access principle

9.30 NPP 6 is expressed in terms of an obligation on an organisation to provide access and Principle 6 is expressed in terms of a right for individuals to gain such access. The ALRC proposed in DP 72 that the UPP should adopt the language of NPP 6, in preference to Principle 6, and “be expressed as an obligation”.⁴⁷ It did not receive any submissions in opposition to this proposal. UPP 9.1 has therefore been drafted to bestow an obligation on an agency or organisation to provide access, rather than grant an individual the ability to gain it. This form is consistent with that of the other model UPPs.⁴⁸

9.31 The ALRC also recommended that UPP 9, similarly to NPP 6, apply to information that an agency or organisation “holds” rather than information in its “possession or control”, (in contrast to Principles 6 and 7). The ALRC was of the view that the word “holds” should be capable of an interpretation that incorporates “constructive possession” of documents, so that, where personal information “is in the control of one agency or organisation and the possession of another”, individuals are able to issue their request to the agency that actually possesses the information.⁴⁹ The ALRC stated that, if Parliamentary Counsel does not agree with the view that “holds” can be read in such a way, then the UPP should be drafted in another manner that does extend to constructive possession.⁵⁰

Exemptions for agencies

9.32 One of the questions raised by the ALRC in DP 72 was whether the exemptions applicable to agencies under the Privacy Act should be the same as those to which they were subject under the FOI Act (Cth). Some submissions said that the exemptions should remain the same, while others suggested that they be changed.⁵¹ In Report 108, the ALRC concluded that the exemptions covering agencies in UPP 9 should be the same as the exemptions in the FOI Act (Cth) and other relevant Commonwealth law, such as the Archives Act 1983 (Cth).

9.33 The rationale given for this conclusion was that agencies should not be expected to comply with two sets of possibly conflicting exemptions relating to the same information, nor should individuals be able to access information under the Privacy Act that would not be available under the FOI Act (Cth).⁵² As discussed in the introduction above, the ALRC considered that the question of whether any revision of the exemptions in the FOI Act (Cth) was required in order to deal with requests for personal information was one for the then anticipated review of that Act rather than Report 108.⁵³ As a result, the exemptions that appear in UPP 9 apply only to organisations.

9.34 On the face of it, there does not seem to be a reason why exemptions to the need to provide access to personal information should not be standardised. This is an issue that we shall explore in our review of FOI and access to personal information.

Exemptions for organisations

9.35 The exemptions applicable to organisations are the same as those contained in NPP 6, apart from one change. This relates to information that may be a threat to a person’s life or health, which is discussed below. There is also a change to the Note to NPP 6.2 but this is to clarify the effect of NPP 6.2 rather than change the sub-principle in any way. The Note to NPP 6.2 states:

An organisation breaches subclause 6.1 if it relies on subclause 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where subclause 6.2 does not apply.

The mere fact that some explanation may be necessary in order to understand information should not be taken as grounds for withholding information under UPP 9.2.

9.37 Otherwise, the ALRC concluded that UPP 9 should include the existing exemptions in NPP 6 because, in its view, these had achieved the appropriate balance between “the public interest in safeguarding the handling of personal information” and other “competing public interests”.⁵⁵

Threat to life or health

9.38 NPP 6.1(a) provides that access does not have to be granted to an individual where the provision of information, other than health information, “would pose a serious and imminent threat to the life or health of any individual”. NPP 6.1(b) provides that access to health information does not have to be granted where it “would pose a serious threat to the life or health of any individual”. In accordance with Proposal 26-6 of DP 72, the ALRC has merged NPP 6.1(a) and (b) into one provision, UPP 9.1(b), eliminating the requirement that the threat be “imminent”.⁵⁶ The reason behind this proposal was that it was “too difficult to establish” that a threat “to the life or health of any individual” was “serious and imminent”. According to the ALRC, as long as the exception could be applied when the threat was serious, an organisation might be able to take steps to stop it becoming imminent.⁵⁷

9.39 The submissions received by the ALRC that commented upon this proposal were mostly in support of it.⁵⁸ The Office of the Federal Privacy Commissioner, (“OPC”) however, argued that the test of imminence should be maintained for information other than health information.⁵⁹ The OPC was concerned that the removal of this requirement would lead to a reduction in the level of privacy protection. It suggested that any difficulties that arose in the application of the “serious and imminent” test could be met by “guidance issued by the [OPC] and increased education of decision makers”.⁶⁰

9.40 The ALRC noted that an increased likelihood that an individual might be refused access to personal information on the ground that the information poses “a serious threat to the life or health of any individual” could result from the removal of the imminence requirement. However, the ALRC also noted that it had made further recommendations that will lessen the disadvantage caused by the removal of the requirement, including a more rigorous intermediaries provision.⁶¹ This recommendation is reflected by UPP 9.3, which is discussed below.⁶²

Commercially sensitive information

9.41 UPP 9.2 extends the applications of NPP 6.2 to agencies so that they do not have to reveal evaluative information produced within the agency in connection with a commercially sensitive decision-making process. Where an agency does not function to generate a profit, applying UPP 9.2 could prove problematic.⁶³ In those circumstances, some direction may need to be given as to the meaning of “commercially sensitive”, for example, in order to ensure that this principle corresponds with the exemptions in the FOI legislation to which agencies are subject.

Intermediaries

9.42 NPP 6.3 states that, if an organisation is not required to provide a person with the information they have requested as a result of one of the exemptions contained within NPP 6.1, it must, “if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties”.

9.43 UPP 9.3 is modelled on NPP 6.3. While formerly only applicable to organisations, it has been extended to cover agencies too. However, agencies are currently subject to s 41(3) of the FOI Act (Cth), which provides that, where information is requested and “disclosure of the information might be detrimental to the applicant’s physical or mental health or well-being” the information can be given to a “qualified person” instead of to the applicant.⁶⁴ The exposure draft Freedom of Information Amendment (Reform) Bill 2009 would repeal this section of the FOI Act (Cth).⁶⁵ The provision that replaces it, however, still refers to a “qualified person”.⁶⁶ It is possible that either UPP 9.3 will need to be amended so it reflects the FOI Act (Cth), or this matter will need to be addressed in the Privacy Commissioner’s Guidelines.

9.44 In DP 72, the ALRC proposed that the model ‘Access and Correction’ UPP should provide that, in circumstances where an exception to the general rule applies:

the organisation must take reasonable steps to reach an appropriate compromise, involving the use of a mutually agreed intermediary, that would allow for sufficient access to meet the needs of both parties.⁶⁷

9.46 The ALRC further noted that the model UPP as currently drafted is limited to situations where the parties can agree on an intermediary and does not set out a process for circumstances in which no intermediary can be mutually agreed. The ALRC took the view that the process it recommended in relation to health information would cover a sufficient number of situations that arose under UPP 9.3, as a large proportion of access complaints relate to health information. It recommended that:

where an organisation denies an individual access to his or her health information on the grounds that it is reasonably likely to pose a serious threat to any individual, the individual should have the right to nominate a health service provider and request that the organisation provide the nominated health service provider with access to the information.⁷²

Procedural Requirements

9.48 The ALRC has recommended that the procedural sections of UPP 9 (UPP 9.4 and 9.5) regulate not only organisations, but also agencies. This represents a shift away from the current position, in which the procedures used by agencies to enable people to access personal information primarily seem to be those set out in the FOI Act (Cth).⁷⁴

9.49 As discussed previously, in DP 72 the ALRC proposed that a new part dealing with access and correction to personal information held by agencies be included in the Privacy Act.⁷⁵ The ALRC further proposed that the new part should contain provisions detailing the procedures to be followed by agencies in the receipt of a request for access to personal information.⁷⁶ It stated that the procedures to be included in the new part should be “similar to, but less onerous than” those in the FOI Act (Cth).⁷⁷

9.50 The ALRC received a number of submissions supporting this proposal.⁷⁸ The OPC, however, submitted that it was not “convinced that all procedural matters needed to be set out in legislation, as opposed to being subject to guidance” issued by the Office.⁷⁹ The OPC suggested that any procedural requirements for agencies dealing with access requests that were included in the Privacy Act should be as similar as possible to the proposed UPP (which at that stage was only proposed to apply to organisations).⁸⁰

9.51 In Report 108, the ALRC stated that “an individual seeking access to personal information should not be subject to the FOI Act process where a simpler process can be established”. Accordingly, the ALRC found that it was “appropriate” for agencies to be subject to the same procedures as organisations, in relation to applications for access to personal information.⁸¹ For reasons discussed above, the ALRC had by now moved away from its DP 72 proposal to amend both the Privacy Act and the FOI Act (Cth).⁸²

9.52 The ALRC progressed from the statement that agencies and organisations should be regulated by the same procedural principles into a discussion of what the content of these principles should be. It did not canvass issues such as how the long standing use of the more prescriptive FOI procedure would change, or whether the Privacy Act or FOI Act (Cth) should be amended to state explicitly that the provisions of the latter pertaining to procedures for access are no longer relevant to personal information (although it does recommend that the OPC “develop guidance for agencies and organisations” about access and correction, including the need to reduce barriers to access of personal information).⁸³ If the UPP 9 is to be effective, these are issues that will need to be resolved at some point. Otherwise, the underlying confusion regarding the overlap between the Acts will remain. Given that we do not at this stage know what shape the Commonwealth FOI legislation will take it is not possible to comment further on this point.

Fees

9.53 UPP 9.4 relates to the fees that may be charged for access to personal information and is, apart from the addition of a Note, the same as NPP 6.4. NPP 6.4 states that, if an organisation charges fees for the provision of access to personal information, those fees “must not be excessive” and “must not apply to lodging a request for access”. Agencies are currently not able to charge for the provision of access to personal information.⁸⁴ The ALRC has recommended the inclusion of the following Note to 9.4 to clarify that organisations may continue to charge a fee for provision of access to personal information, but agencies may not:

Agencies are not to charge for providing access to personal information under UPP 9.4.

Timeliness

9.55 The ALRC recommended that the access and correction UPP should “contain a requirement that agencies and organisations must respond to requests for access to personal information within a reasonable time”.⁸⁷ Since responding to requests for access made under NPP 6 in a timely way was already considered “best practice”⁸⁸ , and the proposed requirement “generally would not impose higher obligations on an agency” than those contained within the FOI Act (Cth), the ALRC noted that it did not anticipate that the inclusion of this requirement would create a further administrative burden for either organisations or agencies.⁸⁹ UPP 9.1 therefore provides that, where an agency or organisation receives a request for access to personal information, “it must respond within a reasonable time”.

Manner of providing access

9.56 UPP 9.5 creates a requirement that did not formerly exist explicitly in the NPP, which is that “agencies and organisations must provide information in the manner requested by an individual, where reasonable and practical”.⁹⁰ The ALRC stated that it was “arguable”, although not “self-evident”, that such a requirement could already be implied in NPP 6. The express inclusion of the provision is designed to “promote clarity in the access and correction requirements”. The ALRC further said that such a requirement is consistent with those already present for agencies in the FOI Act (Cth).⁹¹ Section 20 of the FOI Act (Cth) sets out a series of “forms of access” via which access to a document may be given to an applicant. It then provides that:

Subject to subsection (3) and to section 22, where the applicant has requested access in a particular form, access shall be given in that form.⁹²

Current law in NSW

9.58 IPP 6 (PPIPA s 13) provides that agencies holding information about a person “must take such steps as are, in the circumstances, reasonable” to enable that person to determine if the agency in question holds information about them, and, if so, what the purposes are for the retention of that information, and what their entitlement to gain access to it is.⁹⁴ IPP 7 (PPIPA s 14) directs agencies upon request to provide an individual access to personal information held regarding him or her “without excessive delay or expense”.⁹⁵

9.59 HPPs 6 and 7, which appear in HRIPA and regulate access to health information, are drafted in nearly the exact terms as IPPs 6 and 7.⁹⁶ In addition, Division 3 of HRIPA sets out the procedure for access to health information held by private sector providers. Section 29, in Division 3, sets out the “situations where access need not be granted”.

9.60 As is the case at the Commonwealth level, these principles are not the only provisions governing access to personal and health information held by NSW agencies. Section 5 of PPIPA states that nothing in that Act is to affect the operation of the FOI Act (NSW). In addition, as discussed above, s 20(5) of PPIPA provides:

Without limiting the generality of section 5, the provisions of the Freedom of Information Act 1989 that impose conditions or limitations (however expressed) with respect to any matter referred to in sections 13, 14 or 15 are not affected by this Act, and those provisions continue to apply in relation to any such matter as if those provisions are part of this Act.⁹⁷

9.62 In order to find exemptions to IPP 7, it is necessary to look to the FOI Act (NSW).⁹⁹ The circumstances in which access to information may be refused under the FOI Act (NSW) are set out in s 25 of that Act. They include where the document is an exempt document. The kinds of documents that are exempt from access are then listed in Schedule 1.¹⁰⁰

9.63 Clause 6 of Schedule 1 provides that documents containing information that might lead to the disclosure of “the personal affairs of any person” may be exempt if the applicant is not the person that the information relates to. Under s 31 of the FOI Act (NSW), an agency cannot give access to a document containing personal information about a person other than the applicant without first taking reasonable steps to consult the person whom the information is about in order to determine whether or not the document is exempt under Clause 6. In addition, s 31(4) provides that, in circumstances where an applicant seeks documents containing personal information that is considered to be potentially detrimental to their “physical or mental health”, it is sufficient if the documents are “given to a registered medical practitioner nominated by the applicant”.

9.64 The interaction between s 14, 15 and s 20(5) of PPIPA and the FOI Act (NSW) is not altogether clear, as is discussed below.

How does NSW law differ from UPP 9?

9.65 The comparative exercise engaged in here is complicated both by the lack of clarity in the present NSW law,¹⁰¹ as well as by the fact that the ground is shifting as we write.¹⁰² This is particularly so insofar as the provisions under consideration deal with procedural matters.

9.66 An example of the difficulties the Commission presently faces arises in relation to the issue of fees. UPP 9, as discussed above, states that fees cannot be charged for allowing access to personal information. IPP 7 provides that, where a request is made for personal information, that information should be provided “without excessive delay or expense”. According to Privacy NSW, this means that agencies cannot charge for access to personal information where an application is made under PPIPA. If an application is made under the FOI Act (NSW), the agency is currently able to charge fees. Agencies are also allowed to charge fees for the access of documents if the Acts that they administer allow them to do so.¹⁰³ This illustrates that what happens in practice is not always clear from the principles themselves. Further obscuring the issue is the fact that the public consultation draft of the Government Information (Public Access) Act 2009 provides that, in relation to applications for access to personal information, agencies “cannot impose any processing charge for the first 20 hours of processing time for the application”.¹⁰⁴

9.67 As discussed in the introduction to this chapter, the Commission has been asked to review the access provisions of the new FOI legislation. The comparison between NSW law and the UPP is best left for a subsequent report. The comparisons below are therefore merely preliminary.

Information covered by the IPPs

9.68 Since IPPs 6 and 7, and UPP 9, each import other relevant legislation, in particular FOI legislation, the above statement is particularly true in relation to any attempt to compare them. As mentioned earlier, the Commission may decide to recommend in its future report that the exemptions to access to personal information be the same for both agencies and organisations.

Information covered by the HPPs

9.69 HPP 7(2) provides that an organisation does not have to grant access under HPP 7(1) if it is “lawfully authorised or required not to comply with the provision”, or “non-compliance is otherwise permitted” by an Act or other law.¹⁰⁵ Section 29 of HRIPA lists the situations in which access to information does not have to be granted by private sector health care providers. These situations are similar to those listed in UPP 9.1, although there are some differences.

9.70 Section 29(a), like UPP 9.1(b), deals with circumstances in which the release of information “would pose a serious threat” to the health of any individual. It does not contain the extra requirement currently present in NPP 6.1(b) that the threat must not only be serious but also “imminent”.¹⁰⁶ However, s 29(a) contains the additional proviso that a refusal made in accordance with it must also accord with any relevant privacy guidelines. Likewise, s 29(b), which provides that access does not have to be granted where doing so “would have an unreasonable impact on the privacy of other individuals”, is in the same terms as UPP 9.1(c), except that it too contains the proviso that refusal must be in accordance with any guidelines of the Privacy Commissioner.

9.71 UPP 9.1 (d) provides that access does not have to be granted where “the request for access is frivolous or vexatious”. Sections 29(j) and (k) of HRIPA correspond with UPP 9.1(d). These subsections provide, respectively, that access does not have to be granted where “the request is of a kind that has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again”, and “the individual has been provided with access to the health information in accordance with this Act and is making an unreasonable, repeated request for access to the same information in the same manner”. The phrase “frivolous or vexatious” is most likely broad enough to encompass these scenarios.

9.72 Section 29(c), like UPP 9.1(e), contains an exception for personal information that “relates to existing or anticipated legal proceedings” and “would not be accessible by the process of discovery in those proceedings”. However, s 29(c) further provides that access does not have to be granted where the information sought is “subject to legal profession privilege”. Privilege is not referred to in UPP 9.1(e).

9.73 Section 29(d) provides that there is an exemption to the need to provide access to information where doing so:

Would reveal the intentions of the private sector person in relation to negotiations, other than about the provision of a health service, with the individual in such a way as to expose the private sector person unreasonably to disadvantage.

Providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations.

9.75 Intermediaries. As mentioned above, s 29(a) of HRIPA provides that access to personal information need not be granted in circumstances where it would pose a threat to the life or health of any individual. Section 30 provides that, if access is refused on this ground, the individual requesting the information “may request the private sector person to give access to the information to a registered medical practitioner nominated by the individual”.¹⁰⁸ The request to give access to a registered medical practitioner must be made within 21 days of the receipt of notification that access has been refused.¹⁰⁹ The notice that access has been refused must advise the individual that he or she can ask for the information to be given to a registered medical practitioner, and also advise the individual of the time limit that applies to the making of such a request.¹¹⁰

9.76 UPP 9.3 is broader than s 30, in that it allows for the information to be given to “a mutually agreed intermediary”. It might be the case, however, that private sector health care providers will only agree to intermediaries who are registered medical practitioners. UPP 9.3 also does not include the procedural requirements contained in s 30. Presumably, such matters will be covered in OPC guidelines.

9.77 Procedure for accessing health information. Division 3 of HRIPA also deals with the procedural aspects of access to health information. For example, s 27(1) states “a private sector person must respond to a request for access within 45 days after receiving the request”. UPP 9.1, on the other hand, provides that organisations must respond to requests for access “within a reasonable time”. While this is open to interpretation, and 45 days may be considered by some longer than reasonable and others shorter than reasonable, it is an appropriate phrase to use in high level principles. Regulations could be passed to specify the time more precisely at the local level.

9.78 In relation to fees, s 27(4) specifies that access does not have to be given until seven days after any fee that arises is paid, provided that written notice of the need to pay the fee has been given within 45 days of receiving the request. UPP 9 does not contain an equivalent provision. This is appropriate in high level principles and should be a matter for guidelines or regulations at a local level.

9.79 Division 3 of HRIPA is far more prescriptive than UPP 9, which once again is appropriate, as UPP 9 is intended to be “high level” in nature. Division 3 sets out procedures for making a request, such as requiring that requests for access be in writing and “sufficiently identify the health information to which access is being sought”.¹¹¹ It also contains provisions dealing with how a private sector person should respond to a request, and the form in which access should be provided.¹¹² If UPP 9 is adopted into NSW legislation, these procedural matters could, once again, be appropriately governed by regulations.

CORRECTION

UPP 9

9.80 In relation to correction, UPP 9 provides as follows:

9.6 If an agency or organisation holds personal information about an individual that is, with reference to a purpose for which it is held, misleading or not accurate, complete, up-to-date and relevant, the agency or organisation must take such steps, if any, as are reasonable to:

(a) correct the information so that it is accurate, complete, up-to-date, relevant and not misleading; and

(b) notify other entities to whom the personal information has already been disclosed, if requested to do so by the individual and provided such notification would be practicable in the circumstances.


9.7 If an individual and an agency or organisation disagree about whether personal information is, with reference to a purpose for which the information is held, misleading or not accurate, complete, up-to-date or relevant and:

(a) the individual asks the agency or organisation to associate with the information a statement claiming that the information is misleading or not accurate, complete, up-to-date or relevant; and

(b) where the information is held by an agency, no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

the agency or organisation must take reasonable steps to do so.

Personal information held by agencies

9.81 Principle 7 deals with the correction of personal information held by agencies. It provides as follows:

Alteration of records containing personal information

1. A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:


(a) is accurate; and

(b) is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.


2. The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.

3. Where:


(a) the record-keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and

(b) no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth.

(c) The record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

1. Section 48 of the FOI Act (Cth) provides that amendment is only possible where access to the document has been “lawfully provided”. The Privacy Act is subject to this requirement but does contain a provision allowing annotation of information on a discretionary basis.¹¹⁴

2. Principle 7.1(a) allows for correction of information that is not relevant “to the purpose for which the information was collected”. Relevance is not a criteria for correction under s 48 of the FOI Act (Cth).

3. Principle 7.1 allows for correction of information to take place by way of deletion. The FOI Act (Cth) only allows for annotation or amendment.¹¹⁵

Personal information held by organisations

9.83 NPP 6.5 and NPP 6.6 regulate the correction of information held by organisations. In contrast to Principle 7, which places an obligation upon agencies to ensure that personal information is correct, NPP 6.5 provides that an organisation only has to correct information where an individual can show that it “is not accurate, complete and up-to-date”. The organisation must then take steps to render it so.¹¹⁶ NPP 6.6, similarly to Principle 7.3, refers to circumstances in which the individual and the organisation are unable to agree as to the accuracy of personal information. It provides that, where this situation arises, the organisation “must take reasonable steps” to “associate with the information a statement claiming that the information is not accurate, complete or up-to-date”.¹¹⁷

How and why is UPP 9 different from current Commonwealth law relating to the correction of personal information?

9.84 As noted in para 9.15 the ALRC proposed in DP 72 both the repeal of Part V of the FOI Act (Cth) and the addition to the Privacy Act of a new part dealing with access to, and correction of, personal information.¹¹⁸ The ALRC suggested that the proposed new part of the Privacy Act maintain “the same obligations that are provided for under [Principle 7]”.¹¹⁹ The ALRC further proposed that the new part of the Privacy Act state the procedures to be followed when correction is to take place, including the making of an application for correction, the time within which an agency must respond to the application, and how corrections are to be made.¹²⁰ The access and correction UPP as formulated in DP 72 was initially only to apply to organisations.¹²¹

9.85 The reasons why the ALRC moved away from this position in its final report to recommend that UPP 9 apply to both agencies and organisations are explained earlier in this chapter.¹²²

9.86 One of the main differences between the provisions of UPP 9 that relate to correction and the current Commonwealth law is that the limitations on correction of personal information held by agencies that exist in the FOI Act (Cth) will no longer apply to applications for correction made under the Privacy Act. However, this is not the only variation from existing Commonwealth law made by UPP 9. What follows is a discussion of UPP 9.6 and UPP 9.7, and how these principles differ from both the DP 72 proposals and the current Commonwealth law.

UPP 9.6 – Removal of FOI limitations on the correction of personal information

9.87 Unlike Principle 7, which states that the obligation of agencies to correct the personal information they held is “subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents”, UPP 9.6 contains no reference to relevant Commonwealth law. In Report 108, the ALRC stated that the ability to correct information under the Privacy Act “should no longer be subject to the limitations that exist” in the FOI Act (Cth).¹²³ These limitations, discussed in detail below, can be summarised as follows:

• The individual must have been lawfully provided with the document.
• The document must have been used for an administrative purpose.
• The application must comply with procedural steps.

9.89 The OPC noted that, if an error came to light by other means, for example, a person might be sent “a letter containing incorrect personal information”, that person should not have to go through an application process simply to request correction details they already know to be incorrect.¹²⁶ The ALRC also suggested that there might be cases where a person is denied access to a document that falls within one of the exemptions, “but they are sufficiently aware” of its contents “to know or suspect that it contains false or inaccurate information”.¹²⁷

9.90 In making the recommendation not to include this limitation in UPP 9.6, the ALRC acknowledged that “regulators and law enforcement agencies” feared that its removal could allow a person who was “the subject of current enforcement action at any stage of that process to demand correction of personal information held by the agency”.¹²⁸ The ALRC pointed out, however, that UPP 9.6 only required agencies to “take such steps, if any, as are reasonable”¹²⁹ to correct information, and “what is reasonable would depend on the circumstances in question”.¹³⁰

9.91 Administrative purpose requirement. Section 48(b) of the FOI Act (Cth) provides that a person can only ask for correction of information “that has been used, is being used or is available for use by the agency or Minister for an administrative purpose.” As to the meaning of “administrative purpose”, Slezankiewicz v Australian and Overseas Telecommunications Corporation held that this is “a purpose that has to do with the management of the agency in whose possession a document is held”.¹³¹ In Report 108, the ALRC stated that while it “did not recommend that this limitation apply” to UPP 9, it considered that “agencies should not be required to correct information that will not be used or disclosed”.¹³²

9.92 Procedural requirements. Sections 48-49 provide that applications for amendment must be in writing, must specify both the document containing the record and the nature of the amendment sought and must be sent by post or delivered to the agency.¹³³ Section 50 outlines the ways in which a document can be amended by an agency where it is satisfied that amendment is justified.¹³⁴

9.93 As explained above, the OPC Guidelines advise agencies to use the procedure set out in Part V. This is because the FOI Act (Cth) and internal agency FOI policies already provide “detailed guidelines” for the processing of applications, and so using them avoids duplication. The guidelines note that this advice “is a matter of good administration, rather than a legal obligation”.¹³⁵ The ALRC recommended that the OPC should formulate guidelines on the access and correction principle, including on procedural matters.¹³⁶

Other ways in which UPP 9.6 is different from current Commonwealth law

9.94 “Correct” information. In Report 108, the ALRC noted “whether information is ‘correct’ for the purposes of the Privacy Act is not necessarily self-evident. Rather, this will depend upon the criteria by which correctness of personal information is assessed”.¹³⁷ The criteria contained within Principle 7 are different from those within NPP 6.5. Both principles refer to the need to ensure that information is “accurate”, “up-to-date” and “complete”, but Principle 7 states that it also must be “relevant” and “not misleading”.¹³⁸ In addition, unlike NPP 6.5, Principle 7 provides that these criteria are to be considered “having regard to the purpose for which the information was collected or is to be used and to any purpose related to that purpose”.¹³⁹

9.95 The ALRC noted that there was a “close relationship” between the “correction criteria” contained within the access and correction principles and the obligation placed upon organisations by NPP 3, the “Data Quality” principle to:

Take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

9.96 In DP 72, the ALRC proposed that UPP 9, which was only to apply to organisations at that stage, should provide that an individual who sought correction of personal information held by an organisation must show that the information was “with reference to a purpose of collection permitted by the UPPs, not accurate, complete, up-to-date and relevant”.¹⁴² This proposal was designed to bring the ‘Access and Correction’ principle into line with the data quality principle.¹⁴³ The ALRC also proposed that a like obligation for agencies should be included in the proposed new Part of the Privacy Act.¹⁴⁴

9.97 In Report 108, the ALRC noted that most of the submissions it received supported these proposals, although some raised concerns as to whether the requirement to have reference to purpose of collection might enable an organisation to refuse to correct information that might be incorrect in relation to one purpose, but correct for another.¹⁴⁵ The ALRC also noted that Privacy NSW supported the proposed change in relation to agencies, but said that this was “provided the existing provisions of the FOI Act are referred to in the ‘Access and Correction’ principle itself, or that it is annexed to the Privacy Act”.¹⁴⁶ The Australian Communications and Media Authority expressed concern that this proposal could have implications for both agency resources and the capacity for some agencies to carry out their regulatory or law enforcement functions.¹⁴⁷

9.98 The ALRC ultimately expressed the view that a person “should be provided with the right to correct personal information held by agencies and organisations where the information is misleading or not accurate, relevant, up-to-date or complete”.¹⁴⁸ The ALRC noted that the data quality principle already obliged agencies or organisations holding irrelevant personal information “to destroy it, or render it non-identifiable” in most situations.¹⁴⁹ The ALRC further noted that it might be possible for “an agency or organisation to hold personal information that is relevant for one of its functions or activities but not another”. In such cases, the ALRC suggested, the individual should be able to have the information corrected in relation to the purpose for which it is irrelevant.¹⁵⁰

9.99 As the discussion above demonstrates, the ALRC did not propose in DP 72 that the criteria of “misleading” should be applied to organisations in DP 72. However, in Report 108 the ALRC noted that, under s 18J of the Privacy Act, credit reporting agencies were required to ensure that personal information in credit information files and credit reports was not misleading.¹⁵¹ Furthermore, the ALRC did not believe that imposing a requirement upon organisations to correct information that was misleading “would impose a significant new compliance burden upon” them.¹⁵² It noted that often information that was “misleading” would fall under one of the other categories of information requiring correction anyway.¹⁵³

9.100 The ALRC noted that, in circumstances where “information is ‘misleading’, but is otherwise accurate, complete, up-to-date and relevant, this will result in a difference between the correction requirements of the ‘Access and Correction’ principle and the ‘Data Quality’ principle”. The ALRC indicated, however, that since these principles operated in “different contexts”, it considered “this discrepancy to be appropriate”.¹⁵⁴

9.101 Also in relation to data quality, the ALRC observed that it should be measured, in accordance with the data quality principle, “with reference to the purpose for which [the] information is being collected, used or disclosed”.¹⁵⁵ However, where the access and correction principle is engaged, whether or not information is correct “should be ascertained by reference to the purpose for which information is being held”.¹⁵⁶ The ALRC noted that, when it is being considered whether or not personal information is correct in accordance with UPP 9, “[t]he purpose justifying retention of the information under the ‘Data Security’ principle also should be taken into account”.¹⁵⁷

9.102 Establishing that personal information is not correct. NPP 6.5 places an obligation on individuals requesting corrections to personal information to “establish that the information is not accurate, complete and up to date”. Under Principle 7.1, however, the obligation rests with an agency to ensure that personal information it holds is correct. The ALRC did not suggest the removal of the onus in NPP 6.5 in DP 72, but it nonetheless received submissions stating that the onus led to uncertainty, since the principle itself did not contain any indication of the standard of proof to which an individual should be held when attempting to establish the inaccuracy of the information.¹⁵⁸

9.103 The ALRC accepted these submissions. As a result, the proposed UPP 9.6 requires agencies and organisations to ensure that their records are correct “in accordance with the requisite criteria”.¹⁵⁹ The form of the words used is similar to that of Principle 7.1. The ALRC noted that since agencies are already subject to this obligation, they should not have to alter their existing practices.¹⁶⁰ The ALRC further noted that this change should not overly affect the practices of organisations. It will remain necessary for an individual seeking correction of information to show that it is incorrect, or for the agency or organisation to demonstrate that it is correct.¹⁶¹ However, the ALRC stated that, where a complaint arises about a decision in relation to UPP 9.6, “the relevant issue is the correctness of the personal information that is held by the agency or organisation”.¹⁶²

9.104 How correction should be carried out. NPP 6 contains no mention of how correction should be carried out. Principle 7.1 provides that, when correcting personal information, an agency must make “appropriate corrections, deletions and additions as are in the circumstances reasonable” in order to ensure the accuracy of the record. Section 50(3) of the FOI Act (Cth) further provides that, when an agency is amending personal information, it must, “to the extent that it is reasonably practical to do so”, make sure “that the record of information is amended in a way that does not obliterate the text of the record as it existed prior to the amendment”. If UPP 9 is accepted, the form of an application to correct personal information under the Privacy Act will not be subject to this FOI requirement.

9.105 The ALRC stated, that while no proposal in DP 72 addressed this issue in particular, it received some submissions that “noted the potential tension between the obligation to correct personal information and archiving responsibilities”.¹⁶³ The ALRC noted the submission of the National Archives of Australia, which expressed concern regarding any potential changes to the FOI Act (Cth) that might promote the deletion of personal information at the expense of other requirements of proper record-keeping. The National Archives submitted that, rather than deleting information, it was more appropriate to amend or correct a record.¹⁶⁴

9.106 The ALRC concluded that the issue of how to balance the need to correct personal information with record-keeping obligations, such as those under the Archives Act 1983 (Cth), should be covered in the guidelines on UPP 9 it had recommended that the OPC produce.¹⁶⁵

Notifiying third parties

9.107 UPP 9.6(b) provides that, when a correction is made to personal information, an “agency or organisation must take such steps, if any, as are reasonable” to:

Notify other entities to whom the personal information has already been disclosed, if requested to do so by the individual and provided such notification would be practical in the circumstances.

9.108 The ALRC received a number of submissions on this point. Some supported the inclusion of this requirement. Some suggested that it be widened, for example, by removing the need for an individual to request notification of third parties.¹⁶⁹ However, other submissions expressed concern at the proposal, and indicated that it could have resource implications for both agencies and organisations.¹⁷⁰ Further submissions argued that it placed an “inappropriate burden” on agencies and organisations.¹⁷¹

9.109 The ALRC quoted from the submission by GE Money Australia, which pointed out that the proposal “appears to have implicit in it that there is a fault on the part of the organisation by reason of it having and having disclosed information that may not be correct or up to date” when it might be the case that the information provided to the organisation itself might have been “[i]ncorrect or unclear”.¹⁷² The ALRC also quoted the submission made by ANZ to the effect that, while it did not think the change was necessary, if the requirement to notify third parties was included in UPP 9 it should be qualified only to apply “where inaccuracies are considered by a reasonable person to be material and [notification] would be practical in the circumstances”.¹⁷³

9.110 The ALRC concluded that the requirement should be included in order to “reduce the risk that any entities to which the incorrect personal information has been disclosed will use or disclose the information inappropriately at a later time”.¹⁷⁴ The ALRC was of the opinion that the “reasonable steps” qualification contained within UPP 9.6(b) should help to address the concerns about the cost burden that this requirement might place on agencies and organisations.¹⁷⁵ The ALRC indicated that the OPC give guidance as to what factors an agency or organisation should consider when determining whether it was “reasonable and practicable to notify third parties that it has disclosed incorrect information”.¹⁷⁶

UPP 9.7 – Annotation of personal information

9.111 Principle 7.3 provides that, where an agency does not agree to correct personal information:

[T]he record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable to attach to the record any statement provided by the individual of the correction, deletion or addition sought.

9.113 In DP 72, the ALRC stated that, in its view, the word “associate”, used in NPP 6.6, was more appropriate than the word “attach,” which was used in Principle 7.3, since it was “more technologically neutral, allowing a more flexible approach for organisations that record personal information electronically”.¹⁷⁷ The ALRC believed that the word “associate” was, as a result, “more likely to achieve the main objective” of this principle, which was to “ensure that the opinion of the individual concerned is easily accessible when the organisation seeks to use or disclose” the information.¹⁷⁸

9.114 The ALRC received submissions in support of this proposal.¹⁷⁹ It concluded that UPP 9.7(a), which was now to apply to both agencies and organisations,¹⁸⁰ should contain the word “associate” rather than “attach.” The ALRC considered that it was “inherent to the meaning of ‘associate’” that statements were associated in a way that makes them “apparent to subsequent users”.¹⁸¹

9.115 UPP 9.7(b), which is applicable to agencies only, contains a qualification of the above requirement to associate a statement where so requested. The agency is to do so:

Where no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth.

These provisions would not be required if the FOI Act did not regulate the correction of personal information. These provisions should be considered as part of the ALRC’s review of the FOI Act and related laws.¹⁸³

9.117 IPP 8 (s 15, PPIPA) deals with the correction or “alteration” of personal information. It provides that, following a request from an individual about whom a public sector agency holds information, the agency must, at the request of an individual, make any amendments that may be necessary to ensure that the information:

(a) is accurate, and

(b) having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading.¹⁸⁴

9.119 Like the FOI Act (Cth), the FOI Act (NSW) sets out a procedure, contained within Part 4, for the amendment of personal records. Section 39 of the FOI Act (NSW) provides that a person can “apply for the amendment of the agency’s records” in circumstances where they contain “information concerning that person’s affairs”, are used by the agency “in connection with its administrative functions” and the information in them is “in the person’s opinion, incomplete, incorrect, out of date or misleading”. Part 4 also sets out a procedure for dealing with applications, and one for annotating records in circumstances where applications for amendment are refused. As is the case with access to personal information, the FOI Act (NSW) is far more prescriptive in relation to how correction is to take place than PPIPA. Under Schedule 1 of the Government Information (Consequential Amendments and Repeals) Act 2009 (NSW), Part 4 of the FOI Act (NSW) is being moved temporarily to PPIPA.¹⁸⁶

Health information

9.120 HPP 8(1), (2) and (3) of HRIPA is drafted in the same terms as IPP 8(1), (2) and (3). Once more, the only difference is that HPP 8 applies to private sector health care providers as well as public sector ones. A statutory note in HPP 8 states that amendment in relation to information held by public sector organisations may also be sought under the FOI Act (NSW), while Division 4 of Part 4 of HRIPA contains provisions relevant to the amendment of private sector-held information. Division 4 of Part 4 sets out a procedure for the making and resolution of applications for amendment of health information. A further statutory note in Division 4 indicates that its provisions are “additional to, and assist the operation of, the general principles in HPP 8”.¹⁸⁷ Section 35 of HRIPA deals with annotation of the record in circumstances where the “private sector person” has refused to correct it.

NSWLRC Consultation Paper 3

9.121 Apart from the issues discussed at the outset of this chapter,¹⁸⁸ the only other issue raised by the Commission in CP 3 in relation to correction was to do with an apparent inconsistency between sub-sections (1) and (2) of s 15 of PPIPA (IPP 8). Subsection 15(1) provides that an agency must amend personal information if requested, whereas s 15(2) provides that, if the agency is not prepared to make amendments as requested, then certain steps follow. In other words, s 15(2) envisages that the agency can refuse to make requested amendments, whereas s 15(1) is apparently making an amendment mandatory upon request.

9.122 This issue does not have a bearing on UPP 9, which avoids the inconsistency. Like s 15(1), UPP 9.6 places an obligation on an agency (or organisation) to correct information but, unlike s 15(2), UPP 9.7 departs from the obligation only where the agency/organisation doesn’t agree that there is an inaccuracy, or suchlike.

How is NSW law different from the proposed UPP 9?

FOI limitations

9.123 As discussed above, it is not clear exactly which provisions of the FOI Act (NSW) are imported into PPIPA by s 20(5), or into HRIPA by s 22(3).¹⁸⁹ Section 39 of the FOI Act (NSW) refers to the “right to apply for amendment of agencies, records”. If this is read in the same way as s 48 of the FOI Act (Cth),¹⁹⁰ it contains two limitations that are not in UPP 9. We agree in principle that the limitations should not apply to requests for correction of personal information.

Other changes

9.124 In NSW, both IPP 8 and HPP 8 state that the agency or private sector health care provider must “make appropriate amendments” to the personal information they hold “at the request of the individual to whom the information relates”. Hence, unlike UPP 9.6, IPP 8 and HPP 8 refer specifically to the need for the individual to request correction before it takes place. However, also unlike NPP 6.5 the NSW principles do not place a burden of proof upon the individual to show that the information is incorrect. This differs from UPP 9.6, which places an obligation upon agencies and organisations to correct personal information that is incorrect, but does not specifically anchor this obligation to a request from the individual. UPP 9.6 also differs from NPP 6.5, which, as explained above stated that information had to be corrected where an “individual is able to establish” that it is incorrect.

9.125 In relation to the criteria against which personal information is to be assessed as correct or not, the current NSW principles state that information should be “accurate” and “having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading”. These criteria reflect those in UPP 9.6. Indeed the changes to the Commonwealth law recommended by the ALRC bring the UPP more closely in to line with the NSW correction principles. If not prepared to amend information in accordance with a request for correction, both IPP 8 and HPP 8 provide that agencies and private health care providers must:

[T]ake such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought.

9.127 In relation to the need to notify third parties of changes, IPP 8(3) provides:

If personal information is amended in accordance with this section, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the public sector agency.

9.129 Unlike IPP 8(3), HPP (3) also includes a Statutory Note that provides that correction of health information held by agencies may also be sought under the FOI Act (NSW), and also that Division 4 of Part 4 of HRIPA “contains provisions applicable to private sector persons in connection with the matters dealt with in this clause”. Division 4 of Part 4 of HRIPA sets out the procedure that private sector health care providers must follow in relation to requests for amendment of personal information. It also covers such matters as the form a request should be in and the timeframe in which the private sector health care provider should respond, and provides for the annotation of records in circumstances where the health care provider does not agree that the information is incorrect.¹⁹⁴

REFUSAL OF REQUEST TO ACCESS OR CORRECT

UPP 9

9.130 Where an agency or organisation refuses to provide access to or correct personal information, UPP 9.8 provides:

9.8 Where an agency or organisation denies a request for access or refuses to correct personal information it must provide the individual with:

(a) reasons for the denial of access or refusal to correct the information, except to the extent that providing such reasons would undermine a lawful reason for denying access or refusing to correct the information; and

(b) notice of potential avenues for complaint.

9.131 NPP 6.7 provides that organisations “must provide reasons for denial of access or a refusal to correct personal information”, but NPP 6 does not contain any reference to a need to provide notice of potential avenues of complaint. There is no requirement in Principles 6 or 7 to give either reasons or notice of avenues of complaint. However, s 26 of the FOI Act (Cth) requires a “decision-maker” to “cause the applicant to be given notice in writing of the decision”.¹⁹⁵ Section 26 also specifies that the notice should:

[S]tate the findings on any material questions of fact, referring to the material on which those findings were based, and state the reasons for the decision.¹⁹⁶

9.132 The ALRC noted that, although no proposal was put forward on this issue in DP 72, it received some submissions on the matter.¹⁹⁸ The ALRC said that “[p]rivacy advocates submitted that the obligation to give reasons needed to be more specific in requiring an organisation to specify which of the exemptions it has relied on to deny access or correction”.¹⁹⁹ The ALRC also stated that the Commonwealth Attorney-General’s Department had submitted that “there should be an exception from the requirement to provide a reason for denial of access where the reason for denial is because of one or more of paragraphs 9.1(f) to (j) of the proposed ‘Access and Correction’ principle” because providing reasons for not granting access “may prejudice investigations or prosecutions in relation to mutual assistance or extradition”.²⁰⁰ In addition, the Office of the Victorian Privacy Commissioner submitted that organisations that have refused access to personal information “should be required to advise individuals about how this decision can be appealed”.²⁰¹

9.133 The ALRC concluded that, where an agency or organisation has decided to refuse a request for access or correction, “it is an important element of procedural fairness for the individual to be provided with the reason for the adverse decision”.²⁰² In its view, this would generally “require the agency or organisation to tell the individual which exception it is relying on to refuse access”.²⁰³ The ALRC noted that there might be circumstances where the provision of reasons for the decision “would undermine the very reason that the agency or organisation has denied the individual access to the information or has refused to make the requested correction”.²⁰⁴ The ALRC recommended that UPP 9 should provide for this contingency.²⁰⁵

9.134 The ALRC also considered it appropriate for agencies and organisations to notify applicants of any avenues of appeal they may have in relation to the decision not to allow access or correct personal information. The ALRC recommended that this should be done in the Privacy Policy of the agency or organisation. It stated that, as long as “this Privacy Policy is readily available, it would be open to an agency or organisation to meet its requirements under the ‘Access and Correction’ principle by referring individuals to the relevant section of this document”.²⁰⁶

How UPP 9.8 is different from NSW law

9.135 There is currently no requirement to give reasons for the refusal to allow access to, or to correct, personal information. However, Part 4 of HRIPA and the FOI Act (NSW) each contain provisions stating that, in circumstances where access or correction is refused, written reasons for the refusal should be provided by the agency or organisation.²⁰⁷ The provisions relating to reasons in the FOI Act (NSW) include detailed requirements as to what these “notices of determination” should contain. For example, s 28 of the FOI Act (NSW), which relates to decisions made in relation to the access of documents, provides that the notice shall specify the date of the determination, the reasons for the decision and “the findings on any material questions of fact underlying those reasons, together with a reference to the sources of information on which those findings are based”, as well as the name of the officer who made the determination, any rights of review available to the individual making the request for access and the procedures to be followed in exercising those rights.²⁰⁸ Section 45 contains the same requirements for notices of determination in relation to requests for correction.

9.136 If UPP 9 is adopted in NSW, it may be necessary to address any gaps in the procedural aspects of the access and correction process in guidelines issued by the NSW Privacy Commissioner.

CONCLUSION

9.137 UPP 9 goes some way towards addressing the longstanding problems that arise from the overlapping provisions of the FOI and privacy legislation. For example, the ALRC has begun to disentangle the procedure for access and correction under the privacy legislation from that under the FOI legislation, and some of the changes embodied in UPP 9 may help to simplify the actual process of accessing and correcting personal information.

9.138 However, we must return to the point made at the beginning of this chapter, which is that UPP 9 does not, and indeed cannot, entirely address the problems arising from the overlap between the Privacy Act and the FOI Act (Cth). We also reiterate our earlier point that, while access under privacy legislation remains subject to exemptions under the FOI legislation, access interests will not be uniform across jurisdictions unless the exemption provisions of Commonwealth and State FOI legislation are comparable.

9.139 At this stage, the Commission is of the view that UPP 9 is an adequate access and correction privacy principle. However, many of the questions that arise in relation to UPP 9 also raise, or relate to, issues regarding the interface between privacy and FOI legislation, and, as likewise noted in the introduction, the landscape here is changing. UPP 9 will need to be considered in the context of any future report on privacy and access to personal information.

1. This is only the case where information is held by public sector agencies.

2. Key legislation includes the Freedom of Information Act 1982 (Cth), the Archives Act 1983 (Cth), the Freedom of Information Act 1989 (NSW), the Local Government Act 1993 (NSW) and the State Records Act 1998 (NSW).

3. NSW Law Reform Commission, Privacy Legislation in New South Wales Consultation Paper No 3 (2008) (“NSWLRC CP 3”) [8.5], also citing NSW Ombudsman, Submission to the Review of the Privacy and Personal Information Act 1998, 16, quoting former Privacy Commissioner, Chris Puplick.

4. The FOI Act (Cth) predates the Privacy Act. It was intended that Part V of the FOI Act (Cth), which gives correction and annotation rights, would be transferred from the FOI Act into the privacy legislation “should the latter be enacted.” See Parliament of Australia, Senate Standing Committee on Legal and Constitutional Affairs, Freedom of Information Act 1982 – The Operation and Administration of the Freedom of Information Legislation (1987) [15.7] as cited by Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) (“ALRC Report 108”), vol 1 [15.33]. This did not happen and hence the current situation, where both the Privacy Act and the FOI Act give access and correction rights, came about. In their 1995 joint report the ALRC and the Administrative Review Council canvassed this issue, but decided not to recommend a change to the FOI Act (Cth). This conclusion was based in part on submissions the ALRC received indicating that many requests for information were “mixed”, in that they sought both personal and other information, and the system would become overly complex if such applications had to be dealt with in accordance with two different Acts: Australian Law Reform Commission and the Administrative Review Council, Open Government: a review of the federal Freedom of Information Act 1982 (1995) [5.17].

5. See para 9.15-9.19.

6. Senator Faulker, Cabinet Secretary and Special Minister for State, (Media Release, 22 July 2008) «http://www.smos.gov.au/media/2008/mr_252008.html» at 9 June 2009.

7. Senator Faulker, Cabinet Secretary and Special Minister for State, Freedom of Information (FOI) Reform Companion Guide (March 2009), 14. The Guide says further that “[t]he co-location of privacy and FOI in a single office [which is the effect of the Information Commissioner Bill 2009 (Cth)], and the future reform of the Privacy Act foreshadowed last year, is intended to strengthen and elevate the role and importance of privacy laws” (at 14).

8. NSW Department of Premier and Cabinet, FOI Reform – Open Government Information, «http://www.dpc.nsw.gov.au/prem/foi_reform__open_

government_information» at 9 June 2009.

9. Terms of Reference received 1 June 2009, in addition to those received on 11 April 2006. See para 0.21

10. NSW Department of Premier and Cabinet, Open Government Information – FOI Reform in New South Wales (May 2009), 10.

11. Government Information (Public Access) Act 2009 (NSW) sch 4, cl 4, Privacy and Personal Information Protection Act 1998 (NSW) s 4.

12. NSWLRC CP 3 [6.32], citing Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998 (24 June 2004), 50. For the text of s 20(5) of the Privacy and Personal Information Protection Act 1998 (NSW) see para 9.60.

13. NSWLRC CP 3.

14. NSWLRC CP 3 [6.33], citing Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998 (24 June 2004), 82.

15. NSWLRC CP 3 [6.34], citing Privacy NSW, Submission on the Review of the Privacy and Personal Information Protection Act 1998 (24 June 2004), 83.

16. NSWLRC CP 3 Proposal 13.

17. NSWLRC CP 3 [8.9].

18. NSWLRC CP 3 Issues 62 and 63.

19. Australian Privacy Foundation, Submission, 9 and 15.

20. Public Interest Advocacy Centre, Submission, 32.

21. Public Interest Advocacy Centre, Submission, 33.

22. Legal Aid Commission of NSW, Submission, 6.

23. Legal Aid Commission of NSW, Submission, 7.

24. Privacy NSW, Submission, 1.

25. NSW Department of Community Services, Submission, 5.

26. NSW Department of Corrective Services, Submission, 6-7.

27. NSW State Records Office, Submission, 2, Law Society of NSW, Submission, 16.

28. Australian Law Reform Commission, Review of Australian Privacy Law, Discussion Paper No 72 (2007) (“ALRC DP 72”) vol 1 [12.37].

29. ALRC DP 72 Proposal 12-6.

30. ALRC DP 72 Proposal 12-7.

31. ALRC DP 72 vol 1 [12.41].

32. ALRC DP 72 vol 1 [12.39].

33. ALRC DP 72 Proposal 26-1.

34. ALRC Report 108 vol 1 [15.48]-[15.51]. Work was stopped on the FOI reference following further developments; see para 9.5.

35. In relation to the submissions it received regarding this proposal, the ALRC stated that, while some supported it, others submitted that the access and correction principle should apply to agencies as well. There were a number of reasons behind this failure to support the proposal, including that having separate provisions for agencies and organisations “would create confusion; contradict the aim of creating a single set of privacy principles; and would not address the problems caused by requests for access to documents containing both personal and non-personal information, or a mix of information about two or more individuals”. The ALRC also pointed out that other submissions did not support the repeal of Part V of the FOI Act (Cth). The reasons given included that “the FOI Act is already adequately structured to accommodate the access and correction provisions”. The ALRC also noted that the “OPC submitted that it would be more appropriate to expand the correction rights under the FOI Act to be consistent with those in the Privacy Act”. See ALRC Report 108 vol 1 [15.39]-[15.41] and accompanying footnotes.

36. ALRC Report 108 vol 2 [29.3].

37. ALRC Report 108 vol 1 [15.50].

38. ALRC Report 108 vol 1 [15.47]-[15.48].

39. ALRC Report 108 vol 2 Recommendation 29-1.

40. ALRC Report 108 vol 2 Recommendation 29-1(a) and (b).

41. See ALRC Report 108 vol 2 Recommendation 29-2.

42. The Freedom of Information Act 1982 (Cth) and the Freedom of Information Act 1989 (NSW) both refer to the “amendment” of documents, as does the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) but, for convenience, this chapter mostly refers simply to “correction” of information.

43. ALRC Report 108 vol 1 [15.51].

44. ALRC Report 108 vol 1 [15.52].

45. ALRC Report 108 vol 1 [15.42].

46. See NPP 6.1(a)-(k).

47. ALRC DP 72 vol 1 [12.43], Proposal 12-8(a).

48. ALRC Report 108 vol 2 [29.25]-[29.26].

49. ALRC Report 108 vol 2 [29.29].

50. ALRC Report 108 vol 2 [29.31].

51. ALRC Report 108 vol 2 [29.41]-[29.43].

52. ALRC Report 108 vol 2 [29.44].

53. ALRC Report 108 vol 2 [29.44]-[29.47].

54. ALRC Report 108 vol 2 [29.58], [29.64].

55. ALRC Report 108 vol 2 [29.63].

56. ALRC DP 72 Proposal 26-6, also see vol 2 [26.58].

57. ALRC DP 72 vol 2 [26.57].

58. ALRC Report 108 vol 2 [29.53].

59. Office of the Federal Privacy Commissioner, Submission PR 499, cited by ALRC Report 108 vol 2 [29.54].

60. Office of the Federal Privacy Commissioner, Submission PR 499, 20 December 2007. The decision not to include the requirement that a threat be “imminent” as well as “serious” in UPP 9 is consistent with the ALRC’s proposed use and disclosure UPP, UPP 5, and reflects the reasoning given in relation to that UPP: ALRC Report 108 vol 2 [29.59]. See also para 5.27-5.30 for a discussion of the use and disclosure principle, including on the rationale for the removal of the “imminent” requirement in that instance.

61. ALRC Report 108 vol 2 [29.62].

62. See para 9.42-9.47.

63. State-owned corporations are one exception.

64. Freedom of Information Act 1982 (Cth) s 41(3). A “qualified person” is defined in s 41(8) as a person occupied in “the provision of care for their well-being, and, without limiting the generality of the foregoing, includes any of the following: (a) a medical practitioner; (b) a psychiatrist; (c) a psychologist”.

65. Freedom of Information Amendment (Reform) Bill 2009 (Cth) s 24.

66. Freedom of Information Amendment (Reform) Bill 2009 (Cth) s 47 F.

67. ALRC DP 72 Proposal 26-2.

68. ALRC Report 108 vol 2 [29.76]. This change was made following submissions from the Australian Federal Police and the Australian Communications and Media Authority.

69. ALRC Report 108 vol 2 [29.78].

70. ALRC Report 108 vol 2 [29.79].

71. ALRC Report 108 vol 2 [29.82].

72. ALRC Report 108 vol 2 [29.80].

73. ALRC Report 108 vol 2 [29.81].

74. The Federal Privacy Commissioner’s Information Privacy Principles Guidelines advise agencies in receipt of requests for access to personal information to handle them “under its normal access processes, which will include, but may not be restricted to FOI”. The Guidelines further state that the Privacy Commissioner did not set up separate administrative systems for Principle 6, since the FOI Act (Cth) already provided a procedural framework for the access of information, including personal information (see Office of the Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4-7 (1988) «http://www.privacy.gov.au/publications/HRC_PRIVACY_PUBLICATION.pdf_file.p6_4_15.7.pdf» 13, at 26 March 2009). The Centrelink website, for example, sets out the process for the access of personal information as one that is FOI in character (see Centrelink, Freedom of Information (FOI) «http://www.centrelink.gov.au/internet/internet.nsf/legal/foi.htm» (undated) at 26 March 2009). The form required for access or correction of personal information, which is accessible via the site, is headed “Freedom of Information: I want to access or change document(s)” (see Centrelink, “Freedom of Information: I want to access or change documents” Form Si031 «http://www.centrelink.gov.au/internet/internet.nsf/filestores/si031_0808/$file/si031_0808en_p.pdf» (undated) at 26 March 2009.

75. ALRC DP 72 Proposal 12-6. See para 9.15.

76. ALRC DP 72 Proposal 12-11.

77. ALRC DP 72 vol 1 [12.59].

78. ALRC Report 108 vol 2 [29.143].

79. Office of the Federal Privacy Commissioner, Submission PR499, as cited by ALRC Report 108 vol 2 [29.144].

80. Office of the Federal Privacy Commissioner, Submission PR499, as cited by ALRC Report 108 vol 2 [29.144].

81. ALRC Report 108 vol 2 [29.146].

82. See para 9.17-9.19.

83. ALRC Report 108 vol 2 [29.167].

84. ALRC Report 108 vol 2 [29.160].

85. ALRC Report 108 vol 2 [29.160].

86. ALRC Report 108 vol 2 [29.161].

87. ALRC Report 108 vol 2 [29.162].

88. ALRC Report 108 vol 2 [29.162], citing J Douglas-Stewart, Annotated Privacy Principles (2005) [7.3740].

89. ALRC Report 108 vol 2 [29.162].

90. ALRC Report 108 vol 2 [29.163], UPP 9.5.

91. ALRC Report 108 vol 2 [29.163].

92. Freedom of Information Act 1982 (Cth) s 20(2).

93. Freedom of Information Act 1982 (Cth) s 20(3), 22.

94. Privacy and Personal Information Protection Act 1998 (NSW) s 13.

95. Privacy and Personal Information Protection Act 1998 (NSW) s 14.

96. Health Records and Information Privacy Act 2002 (NSW) sch 1, cl 6-8.

97. Privacy and Personal Information Protection Act 1998 (NSW) s 20(5), see also para 9.8-9.10.

98. Health Records and Information Privacy Act 2002 (NSW) sch 1, cl 7.

99. Freedom of Information Act 1989 (NSW) s 25 and sch 1.

100. Apart from the obvious exemptions of cabinet and executive council documents, other exemptions include, but are not limited to, documents subject to legal professional privilege, those relating to the internal workings of agencies and those relating to business affairs.

101. See para 9.3, 9.8-9.10.

102. See para 9.5-9.6.

103. Privacy NSW, Consultation.

104. Government Information (Public Access) Act 2009 (NSW) s 67.

105. Health Records and Information Privacy Act 2002 (NSW) sch 1, HPP 7(2)(a) and (b).

106. It should be noted in any event that NPP 6.1(a) only applies to personal information other than health information. NPP 6.1(b) is the principle applicable to health information, and, like s 29(a), it does not contain the requirement that the threat be “imminent”.

107. Health Records and Information Privacy Act 2002 (NSW) s 29(i); Privacy Act 1988 (Cth) sch 3 cl 6.1(k).

108. Health Records and Information Privacy Act 2002 (NSW) s 30(2).

109. Health Records and Information Privacy Act 2002 (NSW) s 30(3).

110. Health Records and Information Privacy Act 2002 (NSW) s 30(4).

111. Health Records and Information Privacy Act 2002 (NSW) s 26(1)(a) and (b).

112. Health Records and Information Privacy Act 2002 (NSW) s 27 and 28.

113. Office of the Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4-7 (1988) 18 «http://www.privacy.gov.au/publications/HRC_

PRIVACY_PUBLICATION.pdf_file.p6_4_15.7.pdf» at 26 March 2009.

114. Freedom of Information Act 1982 (Cth) s 48. Section 35 of the Privacy Act 1988 (Cth) sets out a procedure via which, in circumstances where an individual has had both a request for access under the Freedom of Information Act and a subsequent request for amendment refused, the Privacy Commissioner can direct the relevant agency “to add to the document an appropriate notation setting out the particulars of the amendments of the document that the Commissioner thinks should be made”.

115. Freedom of Information Act 1982 (Cth) s 48; Privacy Act 1988 (Cth) s 14, Principle 7.1.

116. Privacy Act 1988 sch 3, cl 6.5.

117. Privacy Act 1988 (Cth) sch 3, cl 6.6.

118. ALRC DP 72 Proposal 12-6.

119. ALRC DP 72 vol 1 [12.51].

120. ALRC DP 72 see Proposal 12-11 (a)-(g).

121. ALRC DP 72 Proposal 26-1.

122. See para 9.17-9.18.

123. ALRC Report 108 vol 1 [15.53].

124. ALRC DP 72 vol 1 [12.55] and Proposal 12-9. The ALRC also pointed out that, in a previous report, it had made a recommendation that the “lawful access” requirement should be removed from the FOI Act (Cth) itself: see Australian Law Reform Commission and the Administrative Review Council, Open Government: a review of the federal Freedom of Information Act 1982, Report No 77 (1995) Recommendation 77, as cited in DP 72 vol 1 [12.53].

125. Office of the Federal Privacy Commissioner, Submission PR 499 (20 December 2007), as cited by ALRC Report 108 vol 1 [15.58].

126. Office of the Federal Privacy Commissioner, Submission PR 499 (20 December 2007), as cited by ALRC Report 108 vol 1 [15.58].

127. ALRC Report 108 vol 1 [15.61].

128. ALRC Report 108 vol 1 [15.62].

129. UPP 9.6.

130. ALRC Report 108 vol 1 [15.62].

131. Re Tadeusz Slezankiewicz and Australian and Overseas Telecommunications Corporation [1992] AATA 204, [46].

132. ALRC Report 108 vol 1 [15.63].

133. Freedom of Information Act 1982 (Cth) s 48-49.

134. Freedom of Information Act 1982 (Cth) s 50.

135. Office of the Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4-7(1998) «http://www.privacy.gov.au/publications/HRC_

PRIVACY_PUBLICATION.pdf_file.p6_4_15.7.pdf 18» at 26 March 2009.

136. ALRC Report 108 vol 2 Recommendation 29-9.

137. ALRC Report 108 vol 2 [29.89].

138. Privacy Act 1988 (Cth) s 14, Principle 7 and sch 3, cl 6.5.

139. Privacy Act 1988 (Cth) s 14, Principle 7.

140. ALRC Report 108 vol 2 [29.94], see Principles 3, 8 and 7.

141. The Data Quality Principle is UPP 7, and is discussed in detail in Chapter 7.

142. ALRC DP 72 Proposal 26-5.

143. ALRC Report 108 vol 2 [29.95].

144. ALRC DP 72 Proposal 12-9(a).

145. ALRC Report 108 vol 2 [29.97].

146. ALRC Report 108 vol 2 [29.98].

147. ALRC Report 108 vol 2 [29.98].

148. ALRC Report 108 vol 2 [29.99].

149. ALRC Report 108 vol 2 [29.100].

150. ALRC Report 108 vol 2 [29.100].

151. ALRC Report 108 vol 2 [29.101].

152. ALRC Report 108 vol 2 [29.101].

153. ALRC Report 108 vol 2 [29.101].

154. ALRC Report 108 vol 2 [29.102].

155. ALRC Report 108 vol 2 [29.104], see also UPP 7.

156. ALRC Report 108 vol 2 [29.104].

157. ALRC Report 108 vol 2 [29.105].

158. ALRC Report 108 vol 2 [29.107]-[29.108].

159. ALRC Report 108 vol 2 [29.110].

160. ALRC Report 108 vol 2 [29.110].

161. ALRC Report 108 vol 2 [29.110].

162. ALRC Report 108 vol 2 [29.110].

163. ALRC Report 108 vol 2 [29.114].

164. ALRC Report 108 vol 2 [29.115], citing the submission of the National Archives of Australia, Submission PR 414, 7 December 2007.

165. ALRC Report 108 vol 2 [29.116].

166. ALRC Report 108 vol 2 [29.121].

167. ALRC DP 72 Proposal 12-9(b).

168. ALRC DP 72 Proposal 26-4.

169. ALRC Report 108 vol 2 [29.126].

170. ALRC Report 108 vol 2 [29.127].

171. ALRC Report 108 vol 2 [29.128].

172. GE Money Australia, Submission PR 537, 21 December 2007, as cited in ALRC Report 108 vol 2 [29.128].

173. ANZ, Submission 467, 13 December 2007, as cited in ALRC Report 108 vol 2 [29.129].

174. ALRC Report 108 vol 2 [29.130].

175. ALRC Report 108 vol 2 [29.131].

176. ALRC Report 108 vol 2 [29.132], see also Recommendation 29-9.

177. ALRC DP 72 vol 2 [26.37].

178. ALRC DP 72 vol 2 [26.37].

179. ALRC Report 108 vol 2 [29.136].

180. See para 9.19.

181. ALRC Report 108 vol 2 [29.137].

182. ALRC Report 108 vol 2 [15.69].

183. ALRC Report 108 vol 2 [15.70].

184. Privacy and Personal Information Protection Act 1998 (NSW) s 15(1), IPP 8(1).

185. Privacy and Personal Information Protection Act 1998 (NSW) s 15(2), IPP 8(2).

186. See para 9.5.

187. Health Records and Information Privacy Act 2002 (NSW) Part 4, Division 4, statutory note.

188. See para 9.8-9.11.

189. See para 9.8-9.10.

190. See para 9.88-9.90. The Commission is not persuaded that this is the correct interpretation of s 39.

191. However it should be noted that s 35 of the Health Records and Information Privacy Act 2002 (NSW) simply provides that the private sector person should “add a notation” to the information. Section 46 of the Freedom of Information Act 1989 (NSW) also just requires that the notation be added, without specifying how.

192. Privacy and Personal Information Protection Act 1998 (NSW) s 15, IPP 8, UPP 9.6(b) provides that notification is to take place upon request and where it “would be practicable in the circumstances”.

193. Health Records and Information Privacy Act 2002 (NSW) s 35(3). The Freedom of Information Act 1989 (NSW) also contains a like provision, s 46(3), but this only applies to applications for correction made under the Freedom of Information Act 1989 (NSW) itself. This section is not applicable where an individual makes a request to an agency under the Privacy and Personal Information Protection Act 1998 (NSW).

194. Health Records and Information Privacy Act 2002 (NSW) s 33-35.

195. Freedom of Information Act 1982 (Cth) s 26.

196. Freedom of Information Act 1982 (Cth) s 26(1)(a).

197. Freedom of Information Act 1982 (Cth) s 26(1)(c).

198. ALRC Report 108 vol 2 [29.171].

199. ALRC Report 108 vol 2 [29.172], italics, in the original.

200. ALRC Report 108 vol 2 [29.173].

201. ALRC Report 108 vol 2 [29.174].

202. ALRC Report 108 vol 2 [29.175].

203. ALRC Report 108 vol 2 [29.175].

204. ALRC Report 108 vol 2 [29.176].

205. ALRC Report 108 vol 2 [29.176], Recommendation 29-8.

206. ALRC Report 108 vol 2 [29.177]. Note further on the subject of notification of access and correction rights, in DP 72, the ALRC proposed that the recommended new part of the Privacy Act should provide that “where an individual is given access to personal information, the individual must be advised that he or she may request the correction of that information” (see ALRC DP 72 Recommendation 12-8(b)). No such proposal was made in relation to organisations, although the ALRC did say in DP 72 ([26.60]) that, in its view, “the proposed ‘Specific Notification’ and ‘Openness’ principles [would] adequately cover this issue”. The ALRC received submission in support of the proposal, although it noted that ACMA expressed concern regarding possible implications for resources and law enforcement and regulatory functions of agencies. The ALRC ultimately decided that, while “[a]gencies and organisations should take steps to inform individuals of their access and correction rights”, the Privacy Act itself did not need to include such a requirement. The ALRC indicated that UPP 3(c), which provides that agencies and organisations must notify individuals of their access and correction rights at the time their information is collected, “sufficiently encompassed” this issue (see ALRC Report 108 vol 2 [29.178]-[29.181]).

207. See Health Records and Information Privacy Act 2002 (NSW) s 27(3) and s 34(4); Freedom of Information Act 1989 (NSW) s 28 and 45.

208. Freedom of Information Act 1989 (NSW) s 28, particularly s 28(e)(ii).