Introduction

Updates and background for this project (Digest)

• Background to this report
• What are privacy principles?
• ALRC’s approach to review of privacy
• Purpose of this report

0.1 In terms of reference issued on 11 April 2006 by the then Attorney General, the Hon R J Debus MP, the Commission was asked to “inquire into and report on whether existing legislation in NSW provides an effective framework for the protection of the privacy of an individual”. In undertaking this review, the Commission was asked to consider, among other issues, the desirability of privacy protection principles being uniform across Australia. The Commission was specifically asked to liaise with the Australian Law Reform Commission (“ALRC”).

0.2 The Commission divided the work into stages and, in the first stage of the project, examined whether or not a statutory cause of action for breach of privacy should be introduced in NSW. A consultation paper was published in May 2007, which outlined a possible statutory cause of action and sought community response.¹ A final report, proposing a statutory cause of action for invasion of privacy as part of a uniform law reform exercise, was completed in April 2009.²

0.3 In the second phase, the Commission focused on the legislative approach to privacy within NSW. Consultation Paper 3, Privacy Legislation in New South Wales (“CP 3”), published in June 2008, evaluated the effectiveness of the key NSW statutes that protect privacy, namely: the Privacy and Personal Information Protection Act 1998 (NSW); the Health Records and Information Privacy Act 2002 (NSW); the Freedom of Information Act 1989 (NSW); the Local Government Act 1993 (NSW); and the State Records Act 1998 (NSW). CP 3 analysed the privacy principles in depth and made numerous proposals for reform.³

0.4 For reasons that are explained below, in this next phase of the privacy reference, we have isolated review of the privacy principles before proceeding to report on the balance of the issues canvassed in CP 3.

WHAT ARE PRIVACY PRINCIPLES?

0.5 Privacy principles regulate privacy by setting out general rules that “express the fundamental obligations that all should observe”.⁴ Principles do not:

necessarily prescribe detailed steps that must be complied with, but rather [set] an overall objective that must be achieved. In this way, principles-based regulation seeks to provide an overarching framework that guides and assists regulated entities to develop an appreciation of the core goals of the regulatory scheme.⁵

0.6 Taking a principles-based approach to privacy regulation, as opposed to a rules-based approach, shifts the focus of the legislation from process to outcomes.⁶ In its Report 108, the ALRC quoted Professor Black to explain the rationale for this:

Regulators, instead of focussing on prescribing the processes or actions that firms must take, should step back and define the outcomes that they require firms to achieve. Firms and their management will then be free to find the most efficient way of achieving the outcome required.⁷

0.8 A regime that is underpinned by high-level principles needs to be augmented by privacy guidelines and regulations, which is what the ALRC proposes. In theory, this is a sound scheme. However, in practice, privacy regulation will only remain effective if regulations clarify and strengthen, not dilute, the default standards set in privacy principles,⁸ and privacy guidelines are supported by effective enforcement.⁹

0.9 This is particularly relevant for NSW’s health industry in light of the Commission’s proposal, and the ALRC’s recommendation, to hand over responsibility for regulating privacy in the private sector to the Commonwealth, discussed in detail below. The Commission questioned in CP 3 whether, if health information held by the private sector were regulated by the Privacy Act 1988 (Cth), there would still be a need for the continued existence of the Health Records and Information Privacy Act 2002 (NSW).¹⁰ It would be a matter for concern if the current high standards set for the protection of health information privacy by the Health Records and Information Privacy Act 2002 (NSW) were weakened by regulations passed pursuant to the Privacy Act 1988 (Cth). For this reason, the Commission urges that the default standards in the UPPs not be undermined by regulations.

ALRC’S APPROACH TO REVIEW OF PRIVACY

National uniformity

0.10 National uniformity is one of the key areas of focus of a concurrent inquiry into Australia’s privacy laws by the ALRC. In September 2007, the ALRC published its Discussion Paper 72, Review of Australian Privacy Law,¹¹ and in May 2008 it published its final report, For Your Information: Australian Privacy Law and Practice (“Report 108”). The cornerstone of Report 108 is the premise that privacy laws should be consistent across all Australian jurisdictions.¹²

0.11 The Commission’s CP 3 likewise emphasised the desirability of a consistent legislative approach to privacy both nationally and within NSW itself. It proposed that reforms of NSW privacy law should aim to achieve national uniformity¹³ and that NSW should co-operate with the Commonwealth in the development of privacy principles that are capable of application in all NSW privacy legislation.¹⁴

0.12 In pursuit of uniformity, the ALRC has recommended the development of Unified Privacy Principles (“UPPs”) and the enactment by the States and Territories of legislation that applies these and adopts relevant definitions used in the Privacy Act 1988 (Cth).¹⁵ The ALRC has formulated 11 UPPs, which it recommends serve as the framework of national consistency. These are set out below and each is discussed in the chapters that follow this Introduction:

• UPP 1 – Anonymity and Pseudonymity
• UPP 2 – Collection
• UPP 3 – Notification
• UPP 4 – Openness
• UPP 5 – Use and Disclosure
• UPP 6 – Direct Marketing
• UPP 7 – Data Quality
• UPP 8 – Data Security
• UPP 9 – Access and Correction
• UPP 10 – Identifiers
• UPP 11 – Cross-border Data Flows

Application to public sector/private sector

0.14 Under the Privacy Act 1988 (Cth), public sector agencies and private sector organisations are regulated by separate sets of privacy principles. Agencies are regulated by 11 Information Privacy Principles, set out in s 14 of the Act, and organisations are regulated by 10 National Privacy Principles set out in Schedule 3 to the Act. They are quite different from each other. The UPPs represent a major departure from this model in that, except for UPPs 6 and 10,¹⁶ they apply to both agencies and organisations.¹⁷ This feature should be kept in mind in approaching the discussion of each of the UPPs.

Exemptions

0.15 Report 108 devotes an entire part, Part E, to exemptions. This part includes a discussion of: exemptions from the Privacy Act; exemptions for specified bodies, such as intelligence and defence intelligence agencies, federal courts and tribunals, agencies with law enforcement functions, and exempt agencies under the Freedom of Information Act 1982 (Cth); other public sector exemptions; the exemption for small business; the employee records exemption; a political exemption; a journalism exemption; other private sector exemptions; and a recommended new partial exception for alternative dispute resolution.¹⁸

0.16 The Cyberspace Law and Policy Centre note that the ALRC recommends “removal of many of the existing exemptions, such as those for employee records, small business and political parties, acts and practices, and narrowing of the media exemption, and review of many of the arbitrary ‘inherited’ exemptions for specific government agencies”. The Centre points out that, “these recommendations would mean a major extension of the coverage of the privacy principles, with privacy obligations and rights applying in many circumstances where they are most necessary”. ¹⁹

0.17 Similarly, in CP 3, the Commission canvassed the exemptions under the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW), including exceptions to what constitutes “personal information”, and proposed changes to eliminate or limit many exceptions, thereby expanding the scope of those Acts and the application of the Information Protection Principles and Health Privacy Principles.²⁰

0.18 Clearly, the number and form of exemptions has a direct bearing on the application of the UPPs. However, this is more from the perspective of the breadth of their ambit, rather than the content of each. As indicated above, it is the Commission’s intention to focus on the broader question of exemptions in the next phase of this reference, once again, in this report, distilling the issues strictly pertaining to the UPPs themselves. Hence, where there are exemptions contained within a particular UPP, and relevant in the specific context of that UPP, these are analysed in the dedicated chapter. What this report does not deal with is general exemptions from all or parts of the Commonwealth and NSW privacy Acts.

PURPOSE OF THIS REPORT

0.19 This paper constitutes a step in the continuum of reform of privacy law within NSW, making recommendations that are directed to NSW but intended to apply uniformly. The purpose of this paper is to evaluate the UPPs for their feasibility and efficacy as principles to be incorporated into NSW’s privacy legislation. The objective of achieving national uniformity dictates that the UPPs should be both capable of incorporation into State and Territory legislation, and acceptable to the States and Territories in terms of the value and effectiveness of the UPPs: the States and Territories must be both willing and able to adopt the UPPs.

0.20 We have chosen to keep the focus of this paper concentrated. We are mindful that there are many intertwined issues that require resolution, including the interaction of privacy laws with other legislation, especially freedom of information legislation, and questions as basic as what “personal information” should encompass, and, therefore, to what personal information the UPPs should apply. By keeping this report so narrowly focused, the Commission in no way intends to ignore those issues or underestimate their significance and complexity. We have taken the view that it is important to get the UPPs right, first and foremost, as they will underpin State and Commonwealth privacy regimes.

0.21 Furthermore, there is increasing recognition of the unsatisfactoriness of freedom of information laws, and moves towards dedicated reviews of these by both the Commonwealth and NSW governments.²¹ Related to this is an acknowledgment that the ground is shifting under privacy and freedom of information, and the landscape may well look very different in the near future. In that case, it becomes even more important to settle high-level privacy principles that can withstand changes at the specific and detailed regulatory level.

0.22 Lastly, the timing of this report is important against the timetable of federal and State reform agendas. The federal Government will respond to the ALRC’s report in two stages, the first stage being to consider the ALRC’s recommended UPPs.²² The Government indicated its intention to finalise its response to the ALRC’s report within 12 to 18 months of its release. The Government is seeking the comments of the State and Territory governments through the Standing Committee of Attorneys-General.²³ The Government is aiming to release an exposure draft Bill by December 2009. The Commission’s views and recommendations set out in this paper are intended to contribute to the consultation phase.

0.23 New freedom of information legislation has recently been exposed or adopted in the Commonwealth, NSW and Queensland. The draft Commonwealth Information Commissioner Bill 2009 and Freedom of Information Amendment (Reform) Bill 2009 were released for public consultation on 24 March 2009. In NSW, the Government Information (Public Access) Act 2009, Government Information (Information Commissioner) Act 2009 and Government Information (Public Access) (Consequential Amendments and Repeals) Act 2009 received Assent in June 2009 and were awaiting proclamation at the time of writing. The Queensland Right to Information Act 2009 and Information Privacy Act 2009 commenced in July 2009.

Particular limitations

Application to public sector/private sector – impact on NSW

0.24 In DP 72, the ALRC proposed that the Privacy Act be amended to preclude State and Territory laws that regulate the handling of personal information by private sector organisations.²⁴ The implications for NSW of the Commonwealth taking over privacy regulation of organisations would be principally in relation to health information as it is only the Health Records and Information Privacy Act 2002 (NSW) that regulates information held by organisations. The Privacy and Personal Information Protection Act 1998 (NSW), which regulates personal information, applies only to public sector agencies. In Report 108, the ALRC went on to recommend that the Privacy Act should apply, to the exclusion of State and Territory laws, to the handling of personal information by private sector organisations.²⁵ It specifically nominated the Health Records and Information Privacy Act 2002 (NSW) as one of the Acts that would be excluded to the extent that it applies to organisations.

0.25 In CP 3, the Commission supported the DP 72 proposal, observing that this would be highly beneficial for multi-disciplinary organisations, or those that operate across State jurisdictions, since they would only need to comply with one set of privacy principles. It would also make it easier for consumers to know which law regulates access to, and protection of, their health information.²⁶

0.26 The Commission affirmed, however, that NSW would – and should – continue to have a role in regulating health information held by State public sector agencies and private sector contractors that deal with those agencies. The Commission noted that this is vital given the NSW Government’s role in the management and delivery of health care services in this State. We also noted that the ALRC acknowledges the importance of complaints-handling at a local level, and that it proposed that State and Territory complaint agencies should be delegated the power to deal with complaints concerning alleged interferences with health information privacy by private sector organisations.²⁷

0.27 Although we were supportive of the ALRC’s proposal,²⁸ and are supportive of the ALRC’s recommendation, the Commission made it clear in CP 3 that we would not make any final recommendation before obtaining the views of consumers and businesses who would be affected by handing over responsibility for health information protection in the private sector to the Commonwealth.²⁹ In the event, all submissions to CP 3 that responded to the Commission’s Proposal 5, bar one,³⁰ were in support of it.³¹

0.28 Therefore, in examining each of the UPPs in the following chapters, the Commission considers whether the UPP in question effectively encompasses health information as well as personal information.

1. NSW Law Reform Commission, Invasion of Privacy Consultation Paper 1 (2007).

2. NSW Law Reform Commission, Invasion of Privacy Report 120 (2009).

3. NSW Law Reform Commission, Privacy Legislation in New South Wales Consultation Paper No 3 (2008) (“NSWLRC CP 3”), Ch 3 and 6.

4. J Black, Principles Based Regulation: Risks, Challenges and Opportunities (London School of Economics and Political Science, 2007), 3.

5. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report No 108 (2008) (“ALRC Report 108”) vol 1 [4.7].

6. ALRC Report 108 vol 1 [4.6].

7. J Black, Principles Based Regulation: Risks, Challenges and Opportunities, 5, quoted in ALRC Report 108 vol 1 [4.6].

8. See N Waters and G Greenleaf, “Meeting Privacy Challenges – the ALRC and NSWLRC Privacy Reviews”, Paper given at Cyberspace Law and Policy Centre, University of New South Wales Symposium, Panel Session 3: “How do the ALRC and NSWLRC proposals contribute to providing a set of global best practice Privacy Principles which also adequately address the privacy threats and opportunities from emerging technologies?” 2 October 2008 (“Waters and Greenleaf”) 6.

9. Waters and Greenleaf, 6.

10. NSWLRC CP 3 Issue 4.

11. Australian Law Reform Commission, Review of Australian Privacy Law Discussion Paper 72 (2007) (“ALRC DP 72”).

12. ALRC Report 108 vol 1 [3.13]-[3.15] Recommendation 3-4.

13. NSWLRC CP 3 Proposal 1.

14. NSWLRC CP 3 Proposal 2.

15. ALRC Report 108 vol 1 [3.13]-[3.15] Recommendation 3-4.

16. These UPPs only apply to organisations.

17. Although, within UPP 9 there are slight differences in application depending on whether the information is held by an agency or organisation. Also, UPP 2 contains a sub-section, UPP 2.5(d) that applies only to non-profit organisations.

18. ALRC Report 108 vol 2 Recommendation 44-1.

19. Waters and Greenleaf, 2.

20. NSWLRC CP 3 Ch 5 and 7.

21. The Commission received terms of reference on 1 June 2009 extending its terms of reference dated 11 April 2006 to encompass a review of the interaction of privacy laws with the Freedom of Information Act 1989 (NSW). See the NSW Law Reform Commission website «http://www.lawlink.nsw.gov.au/lrc» at 10 September 2009.

22. Senator John Faulkner, Speech to the Cyberspace Law and Policy Centre Symposium on “Meeting Privacy Challenges – the ALRC and NSWLR Reviews”, UNSW, Sydney, 2 October 2008.

23. Senator John Faulkner, Speech to the Cyberspace Law and Policy Centre Symposium on “Meeting Privacy Challenges – the ALRC and NSWLR Reviews”, UNSW, Sydney, 2 October 2008.

24. ALRC DP 72 Proposal 4-1.

25. ALRC Report 108 vol 1 Recommendation 3-1.

26. NSWLRC CP 3 [4.40].

27. ALRC DP 72 Proposals 45-3 and 56-1.

28. NSWLRC CP 3 Proposal 5: “The Health Records and Information Privacy Act 2002 (NSW) should be amended so that the handling of health information by private sector organisations is regulated under the Privacy Act 1988 (Cth).”

29. NSWLRC CP 3 [4.42].

30. Justice Health alone opposed the proposal. It pointed out that, in the course of providing health services, there is often a linkage of health records and an exchange of health information between the private and public sectors. It was of the view, therefore, that two sets of legislation relating to health information (the Privacy Act 1988 (Cth) for health information held by organisations and State privacy legislation for health information held by agencies), and two sets of principles to adhere to, may pose difficulties both for agencies and individuals. The Commission notes, however, that this argument loses its force in the face of the move towards adopting uniform privacy principles.

31. Australian Privacy Foundation, Submission; The Consumer Credit Legal Centre NSW, Submission; Cyberspace Law and Policy Centre, UNSW, Submission, 5; Inner City Legal Centre, Submission, 11; Office of the Privacy Commissioner, Submission, 5. Also, by implication but not expressly: Law Society of NSW, Submission, 2; Motor Accidents Authority of NSW, Submission; and State Records Authority of NSW, Submission.