|
|
|
|
Where am I now? Lawlink > privacynsw > Publications & Links > Privacy Contact Officer Newsletter, 10 April 2003
|
Print page
|
Privacy Contact Officer Newsletter, 10 April 2003
PRIVACY
NEW SOUTH WALES
Privacy Contact Officer Newsletter, 10 April 2003
Dear Privacy Contact Officer,
You might have noticed that it’s been a while between editions of our newsletter - but that’s because we’ve been busy restructuring the Office and recruiting new staff! I am pleased to announce that we will soon have a dedicated Education & Publications Officer, who will be taking over the job of compiling this newsletter, as well as developing new projects to assist you understand and implement your privacy agency’s obligations. There’s more on how our new structure affects you below.
In this newsletter we’ll also cover:
- an important change to what information transfers between agencies are allowed under the PPIP Act
- new cases determined in the ADT
- more tools to assist you understand and implement the PPIP Act
- advice on conducting Internal Reviews under the PPIP Act
- information about the new Health Records & Information Privacy Act 2002
- advice about emerging issues
Information transfers between agencies - important news
We’ve just sent a letter to each agency’s CEO about this issue, suggesting they work with you to ensure your agency is complying with the Act.
1 July 2003 will mark the three-year anniversary of the commencement of the Act, and the Direction on Information Transfers Between Agencies 1 will therefore have been in force for three years pending the finalisation of the replacement Privacy Code of Practice.
The current Direction will expire on 30 June 2003, and the Privacy Commissioner has determined that if the replacement Code has not been finalised by then, he will at that time not remake the following provision in the Direction:
"The following exchanges of personal information between public sector agencies are exempted :
- exchanges of personal information which are reasonably necessary for the performance of agreements (whether formal or informal) between agencies, and which agreements operated in the 12 month period prior to 1 July 2000 and have continued to operate since 1 July 2000 under the directions referred to in Paragraph 4 of this Direction".
This provision of the section 41 Direction was intended as a transitional provision, to allow agencies some time to bring pre-existing practices into compliance with the PPIP Act. As at 30 June 2003, agencies will have had three years grace in terms of this provision.
Therefore from 1 July 2003, agencies will no longer be able to rely on formal or informal agreements that pre-dated 1 July 1999, to authorise non-compliance with the IPPs.
Your agency may of course already be complying with the relevant IPPs - see for example IPPs 1-4 with respect to collection, and IPPs 11-12 with respect to disclosure of personal information.
Alternatively, your agency’s non-compliance might already be authorised by another exemption – see for example the exemptions in ss.22-28 of the PPIP Act, other section 41 Directions, and other Privacy Codes of Practice which might apply to your agency. (In particular, see s.25 of the PPIP Act, which allows non-compliance if your practices are lawfully authorised, required, permitted, necessarily implied or reasonably contemplated under any other law.)
However if your agency is relying solely on formal or informal agreements which pre-date 1 July 1999, to authorise the collection of personal information from, or the disclosure of personal information to, another public sector agency, you must do one of the following before 30 June 2003:
- ensure your practices are amended to comply with the IPPs, or
- amend your own legislation to lawfully authorise your practices, or
- seek a new section 41 Direction from the Privacy Commissioner (on public interest grounds) to cover the collections / disclosures until such time as you can do one of the above.
To seek a new section 41 Direction from the Privacy Commissioner (on public interest grounds), or if you have any questions or other matters you wish to raise in relation to this matter, please do not hesitate to contact me on (02) 9268 5580.
Get ready for July
Annual Reporting time is just around the corner - remind your Report writer that your agency must report on 'statistical details of any review conducted by or on behalf of the agency under Part 5' 2
The PPIP Act doesn’t explain what this should include, but Privacy NSW suggests that as a matter of good practice you report:
- the number of Internal Review applications lodged during the year
- the number of Internal Review applications finalised during the year
- the outcomes of each Internal Review that was finalised, eg:
- the IPP / Code / public register provision(s) at issue
- the finding : breach found or no breach found
- any remedy or action proposed or taken
- how many (if any) matters proceeded to the ADT
- the results of any ADT matters finalised (determined or settled) during the year
New cases in the ADT
Since our last newsletter there have been many more ADT cases lodged, but quite a few are settling. However at the date of writing there were three new cases. We’ve got links to the full judgments on our website 3 , and we are preparing some case summaries for you to also go on the website. Only one case so far (DO v UNSW) has proceeded to a review of the agency’s conduct - and in that case the agency was found to have complied with the relevant IPPs.
Tools to assist you understand and implement the PPIP Act
We know your job can be tough, trying to ensure everyone in your agency understands his or her role in complying with the PPIP Act. So we’re pleased to say that we’ve been working on some tools to help you out.
First is the Information Management - Privacy and Personal Information Protection Guideline, which was produced by the Office of Information Technology with our input. The Guideline is aimed primarily at Information Technology professionals in the public sector, but is useful for anyone dealing with information management, whether in the IT, records management, FOI or privacy areas. This one document brings together everything from legislation to best practice standards. The Guideline was launched by the Privacy Commissioner and the Minister for Information Technology and Management in July 2002, and is available from http://www.oit.nsw.gov.au/pages/4.3.20-IM-Privacy.htm
The second tool, which will be launched soon, is also a joint project from the Office of Information Technology and Privacy NSW. It is an online training program about the PPIP Act, which will be made available to agencies for free. The program brings together privacy, FOI and State Records obligations, and has a specialised local government module which explains how all of these work with the Local Government Act too. The program is designed so that it can be used as a training tool, a risk management tool, and also just a simple point of reference for people to go back to anytime they need to check what their obligations are. Several agencies’ Privacy Contact Officers helped us develop this program, so a big thank you to the Department of Juvenile Justice, NSW State Records, the Department of Local Government, the Department of Housing, and the University of Sydney.
The third tool is a checklist to help you conduct Internal Reviews, which can be downloaded from our website. This is a much more comprehensive version of the checklist from our 1999 guidelines. It includes cross-references to the Act, helpful advice on process based on ADT judgments to date, and tips from our experience of oversighting the 176 Internal Reviews lodged since the Act commenced!
The fourth tool is a standardised Internal Review ‘application form’ which should make your job easier, as well as helping complainants clearly frame their applications. The application form cannot be made compulsory, but you could post it on your website and have it at your front counter to encourage applicants to use it. You can download a copy from our website.
We’re now working on a fifth product, of particular use to human services agencies but relevant to all. We are drafting Guidelines on ‘consent and capacity’ to deal with the grey areas in the PPIP Act, namely : how does an agency get consent to use personal information if the individual lacks capacity to give or refuse consent? We’re running a stakeholder consultation during Law Week (15 May) and hope to finalise the Guidelines by mid-year. If you would like to make a submission on the draft Guidelines you can download a copy from our website from late April, and make your submission by 30 May.
Stay tuned for more assistance from Privacy NSW, as our new staff swing into action. As well as new publications we’re planning a substantial revision of our website, with a section devoted to Privacy Contact Officers, so your suggestions on ways we can help you would be most welcome. Email your suggestions to me at anna_johnston@agd.nsw.gov.au
Helping you conduct Internal Reviews
As well as the checklist now available on our website (see above), here’s our answers to some frequently asked questions about conducting Internal Reviews under the PPIP Act.
Should we give an extension of time?
In our last newsletter we suggested agencies develop a policy on when to allow extensions of time for lodging an Internal Review. This item generated a lot of interest and more questions, so here’s some more advice on that issue.
There is nothing in the Act that suggests in what circumstances agencies should allow an extension of time to lodge an Internal Review. The decision to allow an extension (or not) is not of itself reviewable (see Y v DET and BQ v Commissioner of Police). However Privacy NSW simply suggests that as a matter of good practice, agencies should consider exercising their discretion in a reasonable and transparent manner.
There may be a number of reasons which you would accept as reasonable, but here's our suggestion for a starting point, which you could include in your Privacy Management Plan:
The (agency)’s discretion to allow a late application is not limited by this Policy, however as a general guide, consideration will be given to the following possible reasons for delay:
- ill-health or other reasons relating to incapacity
- the complainant only recently becoming aware that the ability to seek an Internal Review even existed
- the complainant reasonably believed that they would suffer repercussions as a result of making an Internal Review application at an earlier time
How should we deal with requests for access or amendment?
IPPs 7 and 8 (ss.14 and 15) in the PPIP Act give individuals the right to seek access to, and correction of, their personal information held by a public sector agency.
Requests made to your agency under these provisions do not need to be notified to our Office. They are not requests for Internal Review.
If however your agency refuses the request, the person may seek a review of your refusal, by lodging an Internal Review application - and then you should notify us.
Don’t forget that the exemptions available to you under the FOI Act when dealing with a request for access or amendment also apply automatically to requests made under the PPIP Act.
What happens if the matter goes to the ADT?
You might not know that the Privacy Commissioner has automatic ‘standing’ to appear in all cases before the Administrative Decisions Tribunal that are applications for review under the PPIP Act.
However the Privacy Commissioner does not act as an advocate for either side. While a representative of the Commissioner (usually one of our legal officers) will often come to the first planning meeting of an ADT case to find out what the case is about, we only seek to make submissions in those cases which involve a systemic or ‘public interest’ issue, or where the Tribunal needs our assistance with understanding the law (eg. by knowing which s.41 Direction was in place at a particular time).
That is, while we generally won’t make submissions about the facts of the individual case, we may make submissions on matters of statutory interpretation, in order to protect the public interest in privacy protection. For the same reasons, we generally don’t get involved in settlement negotiations, unless there is a wider issue at stake than just a remedy for the individual complainant.
We’re working on a Protocol which will spell out our criteria in more detail, and when it’s finished we’ll put it on our website along with our Complaints Protocol.
You might be interested to note that the number of complainants taking their matters to the ADT has risen dramatically this year. Already over 30 cases have been lodged in 2002-03, compared to 9 last financial year and 3 the year before that. As noted above, quite a number settle before proceeding to hearing, so there is still very little case law arising from all these matters.
The new HRIP Act
The Health Records & Information Privacy Act 2002 (the HRIP Act) will commence on 1 March 2004, and will affect both public and private sector holders of ‘health information’ - not just health service providers. There are 15 Health Privacy Principles (HPPs) that will look pretty familiar to those of you conversant with the 12 IPPs in the PPIP Act.
‘Health information’ will effectively be taken out of the scope of the PPIP Act, but the remedies for complaints about breaches of the HPPs by public sector agencies will be exactly the same: the complainant can seek an Internal Review followed by external review by the ADT, or he/she can make a privacy complaint to the Privacy Commissioner for investigation and conciliation.
NSW Health has provided funding for Privacy NSW to develop guidelines under the HRIP Act and to implement education and training for public sector agencies before 1 March 2004. We’ve just employed two officers to work on this project in consultation with stakeholders, so you’ll be hearing more from us about the HRIP Act over the coming months.
Emerging issues
From our enquiries line, new complaints and requests for advice we’ve identified some emerging risk areas to watch out for in your agency:
- IPPs 1-4: What personal information are you collecting through your recruitment practices? We’ve seen some examples of contracted recruiters collecting more personal information than is necessary, as well as pre-employment medical checks that do not comply with the Premier’s Department guidelines.
- IPP 5: What are your contractors doing with the personal information you’ve given them (or which they are collecting on your behalf)? You might be liable for any non-compliance (see s.4(4) of the PPIP Act) so make sure you take steps to ensure their compliance - for example by writing into your contracts what they can and can’t do with the information.
- IPPs 11-12 : What personal information are you disclosing by providing photos and/or ‘good news stories’ to the media?
- CCTV : If you are using CCTV, ‘web cams’ or similar, are you complying with the Workplace Video Surveillance Act 1998? Check our Guide to the WVS Act on our website. If your CCTV is in a public space also check the NSW Government Policy Statement and Guidelines for the Establishment and Implementation of Closed Circuit Television (CCTV) in Public Places4 and don’t forget that if an individual’s identity can be ascertained from your video footage, then it is ‘personal information’ and therefore the PPIP Act also applies.
Privacy NSW news
We’ve finished our restructure and recruited some new staff, so let me introduce the current team:
 | | |
| Chris Puplick | Privacy Commissioner | 9268 5555 |
| Anna Johnston | Deputy Privacy Commissioner | 9268 5580 |
| | |
| Compliance & Investigations Unit | |
| Siobhan Jenner | Senior Compliance & Investigations Officer | 9268 5583 |
| Jacqueline Roarty | Investigations Officer | 9268 5585 |
| | |
| Legal, Policy & Research Unit | |
| John Gaudin | Senior Legal & Policy Officer | 9268 5581 |
| Lucy Blamey | Legal & Policy Officer | 9268 5582 |
| Myra Cheng | Research & Policy Officer (part-time) | 9268 5586 |
| Natasha Mann | Legal & Policy Officer (HRIP Act) | 9268 5588 |
| Michelle Johnson | Research & Policy Officer (HRIP Act) | 9268 5588 |
| | |
| Education & Publications Unit | |
| Leila Loupis | Education & Publications Officer | 9268 5588 |
| | |
| Office Management Unit | |
| Rosemarie McEwan | Correspondence Manager | 9268 5515 |
| Peggy Phan | Office Manager | 9268 5588 |
| Office fax | 9268 5501 |
This new structure has been implemented following an organisational review and a client satisfaction survey conducted last year. Through this new structure and a re-focussing of energies we hope to become more pro-active in assisting agencies with their compliance with the PPIP Act. I would welcome your feedback on how we can continue to better assist Privacy Contact Officers.
Best regards,
Anna Johnston
Deputy Privacy Commissioner
- See the Direction on Information Transfers between Agencies on our website.
- Section 33(3)(b) of the Privacy and Personal Information Protection Act 1998 (the PPIP Act).
- Check our Case Law for the details - mark the page in your internet ‘Favourites’ so you’ll always stay up-to-date.
- See http://www.lawlink.nsw.gov.au/cpd.nsf/pages/cctv_index
|
|
|
