June 2002 newsletter
Dear Privacy Contact Officer,
Welcome to the June 2002 newsletter from Privacy NSW - our way of keeping you up-to-date on privacy-related matters, your responsibilities as a Privacy Contact Officer, news about implementation of the Privacy and Personal Information Protection Act 1998 (the PPIP Act), and other developments in our Office.
This newsletter covers a number of topics which impact on all agencies:
- changes to the s.41 Directions,
- hints on how to handle requests for Internal Reviews,
- our policy on investigating complaints against public sector agencies,
- a new case decided under the PPIP Act by the Administrative Decisions Tribunal (ADT),
- issues arising from our 2nd Special Report to Parliament, and
- results of the client satisfaction survey and resourcing review of our Office.
Changes to the s.41 Directions
The following s.41 Directions, made by the Privacy Commissioner, expire on 30 June 2002:
- Collection and disclosure for research purposes
- The use of information for investigative purposes
- Some information transfers between public sector agencies
The Privacy Commissioner has taken the view that s.41 Directions ought be temporary in nature, allowing a flexible approach to compliance with the Information Protection Principles (IPPs) or the public register provisions in the PPIP Act while more comprehensive Privacy Codes of Practice are being developed.
If we don’t have a Privacy Contact Officer listed for your agency, we’ve written to your CEO (or for local councils, the Public Officer). To nominate a new PCO, please email us their details, making sure you identify which public sector agency you are from. If you give us an email address too, we’ll be able to send your PCO email updates of changes to the law or new cases.
However the Privacy Commissioner has expressed his concern at the length of time taken to finalise the replacement Codes. The reliance upon these particular s.41 Directions for the past two years has highlighted a number of difficulties with respect to their interpretation and application.
For that reason, the Privacy Commissioner has proposed to issue fresh s.41 Directions covering the same topics, which will more clearly address these concerns. Most of the minor alterations are to clarify that the conduct authorised by those Directions (which would otherwise breach the IPPs or the public register provisions in the PPIP Act) must be reasonably necessary in the first place. As before, however, these Directions are only intended as a ‘stop-gap’ measure until more comprehensive Codes, subject to full consultation, are finalised by the Attorney General.
Agencies which currently rely on one or more of these three Directions ought therefore carefully check the wording of the new Directions, which will be available before 30 June at our website.
Agencies should therefore check that the practices they are following now will still comply from 1 July.
Issues for agencies: where are your complaints most likely to come from?
An analysis of complaints made to this Office against public sector agencies, in relation to files closed during 2000-01, showed that the most complaints were coming from employees (27%), constituents (10%) and students (10%) of the agency concerned.
However in relation to complaints closed thus far in 2001-02, this pattern has changed. Clients and customers of government, which may include students, prisoners, residents and ratepayers, accounted for 52% of complaints against NSW State agencies and local councils. Complaints by employees accounted for 14% of complaints overall, although there was a marked difference in this category between local councils (31%) and State agencies (10%).
Internal Review applications are again most likely to be made by clients and customers (69%) or employees (23%).
Issues for agencies: how to handle requests for Internal Reviews
We’re getting more and more experienced in sorting the good Internal Review practices from the bad. Save yourself any heartache and follow our tips for getting it right.
1. Know when a request has come in. The ADT has warned agencies that an application for internal review need not be clearly identified as such. (See our December 2001 newsletter for more on Y v DET.) Check your staff know what to look for.
2. Notify us straight away. Under s.54 of the PPIP Act, as soon as practicable after receiving an application for Internal Review, you must notify us of the application. You must also keep us informed about the progress and outcome of each matter.
3. Know your time limits. Under s.53(6), you effectively have 60 days to conduct the review, before the applicant can go straight to the ADT.
4. Tell the applicant what’s going on straight away. Tell the applicant:
- that you are conducting an Internal Review under the PPIP Act
- who is conducting the review, and how they are independent of the original decision-maker
- that if your review is not complete within 60 days, they can go to the ADT
5. Check progress at about 4 weeks, and again at 6 weeks. You must notify us of progress (s.54(1)(b)), so tell us and the applicant:
- where the review is up to
- any reasons for delay
- the likely completion date
6. When you’re finished, you must tell the applicant (s.53(8)) and us (s.54):
- that you have completed the Internal Review
- what your findings are
- what the reasons for your findings are
- a plain English explanation of the law behind your reasons (eg. whether the conduct is permitted under any of the exemptions in Part 2 and if the conduct is permitted or required by any other law)
- what actions you are going to take
- that the applicant has the right to have your findings reviewed by the ADT.
7. Keep a record. Your annual report must include statistical details of any Internal Review conducted by your agency (s.33(3)).
8. Have a clear and written policy on:
- the circumstances in which your agency will extend the standard time limit of 6 months for accepting applications for Internal Review
- the means by which you will advise applicants of the grounds for accepting late applications
- how you will start ‘counting’ time towards the 6 month limit. (Note that in Y v DET, the ADT warned against agencies using “self-serving calculations” when deciding not to extend the time limit in order to avoid conducting a review.)
How we investigate complaints against you
The standards we apply
Under s.45 of the PPIP Act, the Privacy Commissioner may deal with complaints about “the alleged violation of, or interference with, the privacy of an individual”. Therefore, we are not limited to investigating conduct which may represent a breach of the IPPs or public register provisions of the PPIP Act. We accept complaints made against both the public and private sectors.
A finding that a complainant’s privacy has been ‘violated or interfered with’ will be based on either Privacy NSW’s Data Protection Principles (DPPs) or the “Prosser tests”.
If the complaint concerns the misuse of personal information by an organisation, Privacy NSW will refer to the DPPs. The DPPs are similar to the IPPs in the PPIP Act, but they do not have the force of law. The DPPs were prepared by the then NSW Privacy Committee in 1991, and have been used by the Privacy Committee and Privacy NSW since then. The DPPs have been officially adopted as Guidelines by the Privacy Commissioner under s.36(2)(b) of the PPIP Act, and are available on Privacy NSW’s website. The DPPs will be applied flexibly by the Privacy Commissioner, recognising that with respect to some practices it may be appropriate to act in a manner contrary to the DPPs.
Where a complainant alleges that a person’s privacy has been violated or interfered with by other means, such as a physical incursion or the use of surveillance, and in the absence of a settled legal or statutory definition of privacy, Privacy NSW will rely on the “Prosser tests”. Those tests concern the degree to which:
- the alleged conduct intruded upon the plaintiff’s seclusion or solitude, or into his private affairs,
- the alleged conduct involved public disclosure of embarrassing facts about the plaintiff,
- the alleged conduct generated publicity which placed the plaintiff in a false light in the public eye, or
- the alleged conduct involved the appropriation by the respondent of the complainant’s name or likeness.
The 2nd Special Report to Parliament by the Privacy Commissioner (see more about this below), which is on our website, includes a very detailed description of Privacy NSW’s methodology in assessing, investigating and dealing with complaints. If you have any further questions about our complaint handling function, please give us a call.
What happens if there’s already been an Internal Review of that complaint?
The complainant’s choice to follow the Internal Review route does not preclude the Privacy Commissioner from dealing with a s.45 complaint about the same matter. However as a matter of practice, Privacy NSW will not deal with a s.45 complaint while an Internal Review (or an ADT ‘external’ review), dealing with substantially the same complaint or matter, is on foot. (Even if the ADT case is under the FOI Act, eg. about access or amendment to records, Privacy NSW will regard this as substantially the same matter.)
After the internal / external review route has been exhausted, the Privacy Commissioner will usually only deal with the complaint if the merits of the complaint were not canvassed in the internal / external review process. For example if the agency or the ADT did not review the merits of the complaint because the application was denied for a jurisdictional reason (such as being lodged out of time), we may still investigate. Therefore agencies should note that we may receive papers from you, through the Internal Review process, that we may comment on in a s.45 complaint later.
However if a matter has settled between the parties (eg. an out-of-court settlement prior to an ADT hearing), Privacy NSW will not accept a complaint about the same matter.
BQ: the second case decided under the PPIP Act by the ADT
The case of BQ v Commissioner of Police, NSW Police Service [2002] NSW ADT 64, was decided in the Administrative Decisions Tribunal on 26 April 2002 by Judicial Member A. Britton.
The applicant (BQ) applied for an administrative position with the NSW Police. He was advised that a criminal records check would be conducted with respect to recommended job applicants. BQ was recommended for appointment and a criminal records check was conducted. The check revealed entries on the NSW Police “COPS” data system relating to an incident in respect of which “Arrest Not Desired” had been noted - that is, there was an entry in COPS but no ‘criminal record’ as such. The entries were discussed with BQ, who was subsequently offered a temporary position with the Police Service.
The position was made permanent sometime later. Only after his position was made permanent did BQ apply for an Internal Review under the PPIP Act, in respect of the agency’s use of personal information as part of a recruitment ‘criminal records’ check. This application was made about ten months after the time that BQ first became aware of the conduct that was the subject of the complaint. BQ requested that the agency exercise its discretion under section 53(3)(d) to accept an application made out of time (that is, later than six months).
The agency declined to accept the application for Internal Review on the grounds that the application was out of time, and it did not use its discretion to extend the six month period. BQ applied to the ADT for a review of the agency’s conduct, including the alleged breach of one or more of the IPPs.
The primary issue considered in BQ’s case was whether the Tribunal’s review jurisdiction extended to the refusal of the agency to accept an application later than six months, or “such later date as the agency may allow,” as provided for by s.53(3)(d).
The respondent agency also submitted that the information referred to in BQ’s application was not “personal information” by reason of s.4(3)(j) of the PPIP Act. This issue was not dealt with by the Tribunal once it decided that it lacked jurisdiction to review the conduct of the agency.
The BQ case suggests that s.55(1)(b) of the PPIP Act may be construed more widely than was accepted by President O’Connor in the Y v DET case. It does not squarely challenge this reasoning however, and nevertheless reached a similar conclusion - that the Tribunal lacks jurisdiction to determine an application where an Internal Review application is made out of time.
There is a link to the full case from the Lawlink website, at:
http://www.lawlink.nsw.gov.au/caselaw/caselaw.nsf/pages/index
(Hint: Go to the ‘Administrative Decisions Tribunal’, then ‘2002 - General Division’, then ‘view case names’ then ‘B’.)
Our 2nd Special Report to Parliament: issues arising
A Special Report to Parliament by the Privacy Commissioner, made under s.65 of the PPIP Act, was tabled on 7 May 2002. The Special Report was a report of the investigation of a complaint from a student and his family, against the then Minister for Education, and two ministerial staff.
The Report is available from the Privacy NSW website.
The Report raises a number of issues for agencies, including the adequacy of staff training in their responsibilities under the PPIP Act, as well as the possibility of “constructively” identifying someone without naming them.
Constructive identification may be an issue, for example, in the publication of non-identifying statistical data, which may nevertheless be aggregated with other data to effectively re-identify some individuals.
However we would urge caution before seeking to apply the notion of “constructive identification” to FOI applications for example, given that the FOI and PPIP Acts operate with different legal definitions and frameworks. We are now working on some general guidelines for agencies on issues related to constructive identification, and its relevance in the PPIP framework and privacy context.
Results of the client satisfaction survey and resourcing review of our Office
Thank you to all who contributed to our recent ‘client satisfaction’ survey.
The survey was distributed to all PCOs for whom we have email addresses, to our Privacy Roundtable members, randomly to 50 members of the public who had recently lodged complaints with our Office, and randomly to 50 individuals or organisations which had sought advice from our Office.
The survey was conducted by Andersen Consulting on our behalf, as part of a wider review of the resourcing and operations of Privacy NSW.
The major results of the survey were:
- overall, clients are satisfied to neutral with the services provided
- clients are satisfied with the quality of advice
- clients are satisfied to neutral with the timeliness of advice
- clients are neutral to dissatisfied with the quality of complaint conciliation
- clients are dissatisfied with the timeliness of complaint conciliation
- Privacy NSW needs to provide more education, training and research
We’ve also seen a rapid increase in the demand on our services in the past six months, in particular requests for advice from agencies and of course the increasing number of Internal Reviews which we are oversighting.
A number of recommendations have therefore been put by Privacy NSW to the Attorney General's Department about how to best resource Privacy NSW to improve our client services, especially regarding timeliness. Those recommendations are now under consideration as part of the budget allocation for 2002-03.
In particular, we would like to improve our services to you by creating a dedicated education, training and publications team, upgrading our website, and providing more regular services to Privacy Contact Officers.
In the meantime, Privacy NSW is here to assist agencies in adopting and complying with the PPIP Act. To contact any of our staff, email us at privacy_nsw@agd.nsw.gov.au, or call (02) 9228 8585.
Wishing you all the best,
Anna Johnston
DEPUTY PRIVACY COMMISSIONER
|
|
