December 2001 Newsletter
Dear Privacy Contact Officer,
Welcome to the December 2001 newsletter from Privacy NSW - our way of keeping you up-to-date on privacy-related matters, your responsibilities as a Privacy Contact Officer, news about implementation of the Privacy and Personal Information Protection Act 1998 (the PPIP Act), and other developments in our Office.
This newsletter covers a number of important topics which impact on all public sector agencies and local / county councils:
- a new practice for the drafting of Privacy Codes of Practice
- a reminder about your obligations with respect to internal reviews, and what must go in your annual report
- a summary of the first case to go to the ADT under the PPIP Act
- a reminder about the Privacy Commissioner’s ‘special reporting’ powers
You’ll also find enclosed an insert to be placed in your organisation’s copies of the ‘blue guide’ (A Guide to Making Privacy Codes of Practice), and a copy of the first three issues of Privacy Bulletin - more about these below.
First things first - have you changed your details?
First, a reminder that if there has been any change in the contact details for your organisation, and/or the name of your Privacy Contact Officer, please let us know by email.
The name and address used for this newsletter is the latest information that we have. If we don’t have a Privacy Contact Officer listed for your organisation, we’ll continue to write to the CEO / equivalent of your organisation. (For local councils, we’ll write to the Public Officer.)
To notify a change, please write ‘changed contacts for PCO’ in the subject heading, then email your message to us at privacy_nsw@agd.nsw.gov.au - making sure you identify in the text which public sector agency or council you are from.
Important - a new practice for the drafting of Privacy Codes of Practice
Privacy Codes of Practice are made by the Attorney General under section 31(5) of the PPIP Act. The Attorney General receives a proposed draft Code and any submissions made by the Privacy Commissioner in relation to the proposal. A draft Code may be proposed by either the Commissioner or a public sector agency. If the latter, Section 31(2) provides that the agency must consult with the Privacy Commissioner before submitting their draft Code to the Attorney General.
In practice, the procedure to date has involved detailed negotiations between agencies and the staff of Privacy NSW on the actual drafting of Codes. The Office of the Parliamentary Counsel was not involved. As a result the various Codes already made have reflected the drafting styles of officers from a number of different agencies. Feedback from agencies and members of the public has indicated that a more consistent style of drafting would be of assistance - as would greater ease in accessing the Codes once they have been made.
To this end, it has been agreed that the Office of Parliamentary Counsel will in the future draft all Privacy Codes of Practice. The role of the Privacy Commissioner will be more focussed on providing commentary on the policy content of proposals for Codes, rather than directions on matters of drafting technique.
What this means for you - accessing finalised Codes
All Codes will be accessible like other statutory instruments, for example on public websites such as www.austlii.edu.au. All existing Codes will eventually be reviewed and revised using this procedure.
What this means for you - proposing new Codes
There is therefore a new practice for you to follow if your agency intends to propose a new Privacy Code of Practice. Included in this newsletter is a step-by-step guide to the new procedure, which should be copied and placed at p.10 of your agency’s copies of the ‘blue guide’, A Guide to Making Privacy Codes of Practice, Privacy NSW, September 1999.
In short, your role will be to liaise with our Office, and then prepare drafting instructions for Parliamentary Counsel, rather than attempt to draft the actual Code yourself. For assistance in how to develop drafting instructions, you might find the Manual for the Preparation of Legislation useful: go to www.pco.nsw.gov.au and follow the links via ‘About PCO’ to ‘corporate documents’.
Reminder - your obligations
Your annual report
Don’t forget that you must publicly report your agency’s progress with respect to implementing the Act and conducting internal reviews. Section 33(3) of PPIPA provides that the annual report of each public sector agency must include:
- a statement of the action taken by the agency in complying with the requirements of the PPIP Act, and
- statistical details of any internal review conducted by or on behalf of the agency.
Receiving and conducting internal reviews
In the first year since the introduction of ‘internal review’ on 1 July 2000 as a remedy for complainants under the PPIP Act, our Office received notifications of only 22 applications for internal review. We know that some agencies have failed to notify us of applications received, because often complainants tell us how they’re progressing. We suspect the ADT will take a dim view of agencies which haven’t notified the Privacy Commissioner, let alone actively sought our Office’s input.
Don’t be caught out - under section 54 of the PPIP Act, as soon as practicable after receiving an application for internal review, an agency must notify the Privacy Commissioner of the application. You must also keep us informed about the progress and outcome of each matter. You should see internal review as an important risk management tool, especially for identifying those areas within the agency in which compliance with a particular IPP needs improvement.
Also be warned - the first ADT case (see below) has shown that an application for internal review need not be clearly identified as such.
Y v DET - the first case under the PPIP Act
In September 2001, the first case to go to the Administrative Decisions Tribunal under the PPIP Act was decided by Tribunal president, Judge Kevin O’Connor - Y v Director General, Department of Education & Training [2001] NSWADT 149. This case is of interest to all public sector agencies, both as employers and as the potential subject of applications for internal review.
This first case decided a number of jurisdictional questions, the foremost of which is the vexed issue of ‘out of time’ requests for internal review. President O’Connor found that the ADT had no jurisdiction to review the decision of an agency to reject an application for internal review made ‘out of time’ - that is, more than six months after the applicant first became aware of the conduct which is the subject of the application (s.53(3)(d) of the PPIP Act).
However President O’Connor also sounded a warning to agencies - in considering whether applications for internal review had to be described by the applicant as such, he found that “express reference” to the particular statute under which the application for review is not essential, especially where the context suggests that a statutory right is being invoked. However where the applicant is represented by an informed agent, such as a union or solicitor, “it is reasonable for an agency ordinarily to expect to find direct reference to any statutory right that is being invoked” [para 16].
The case of Y v DET was primarily about the exemption in s.4(3)(j) from the definition of ‘personal information’: “information or an opinion about an individual's suitability for appointment or employment as a public sector official”. President O’Connor found that such information need not be limited to selection, promotion, disciplinary or involuntary retirement processes. It could also include management reviews of work practices, work arrangements, and performance.
To find out more, follow the link to the judgment from our website.
The Privacy Commissioner’s ‘special reporting’ powers
Under section 65 of the PPIP Act the Privacy Commissioner has the ability to make a Special Report to Parliament “on any matter arising in connection with the discharge of his or her functions”. The Privacy Commissioner made his first Special Report to Parliament on 17 September 2001 - Complaint by Ms Carol Atkins against Queanbeyan City Council.
The Special Report was issued following an investigation into a complaint by Ms Carol Atkins, undertaken pursuant to section 36(2)(k) of the PPIP Act 1998. An Investigation Report was issued to the respondent Council, which recommended certain action be taken by the General Manager Mr Percy, and the Mayor Mr Pangello, including issuing Ms Atkins with a written apology for the breaches of her privacy.
Both Mr Percy and Mr Pangello refused to act on the Commissioner’s recommendations that they apologise to Ms Atkins. On 17 September 2001 the Commissioner therefore made a Special Report to Parliament on the matter. The Report is available on the Privacy NSW website: www.lawlink.nsw.gov.au/pc.nsf/pages/queanbeyan1
Changes in our communications
We’ve just finalised our Annual Report for 1999-2000. The Report is in a new format compared to the reports of our predecessor organisation, the Privacy Committee. It details the work we do, including dealing with 2,021 telephone queries, finalising 177 written complaints and answering 168 requests for written advice in the reporting year.
A copy of the Report has been mailed to the CEO (or equivalent) of your agency. Further copies may be obtained on request.
As well as our new-look Annual Report, enclosed you’ll find copies of the first three issues of Privacy Bulletin. This publication is an important step in our strategy to improve communication with our many stakeholders. The Bulletin will be a series of simple guides to various privacy-related topics. Most will be aimed at the general community, but occasionally we may produce a Bulletin on a topic primarily of interest to Privacy Contact Officers such as yourself. The Bulletins will be placed on our website, and hard-copy versions will be mailed or faxed to members of the public who contact us with a query about that issue.
Also as part of changes to improve our communication with stakeholders, every six months, in June and December, we’ll be mailing out a comprehensive newsletter to all Privacy Contact Officers. The newsletter will let you know of any other recent Bulletins, and also keep you up-to-date with other developments in the on-going implementation of the PPIP Act.
As this is our first comprehensive newsletter, please let us know what you thought of it! All comments and suggestions for future editions will be welcome - just send us an email headed ‘PCO newsletter comments’ to privacy_nsw@agd.nsw.gov.au
Changes in our staff
In July 2001 the new Deputy Privacy Commissioner, Anna Johnston, commenced. Anna was most recently A/ Principal Legal Officer at the NSW Department of Local Government. On 3 December 2001 two new Research & Policy Officers, Anne Stringer and Lucy Blamey, commenced, replacing Anthony Bendall and Rebekah Jensen.
As at 17 December 2001, the staff of Privacy NSW are:
- Anna Johnston, Deputy Privacy Commissioner
- John Gaudin, Legal & Policy Officer
- Siobhan Jenner, Investigations Officer
- John Rome, Research & Policy Officer
- Lucy Blamey, Research & Policy Officer
- Anne Stringer, Research & Policy Officer
- Peggy Phan, Executive Assistant
Privacy NSW is here to assist agencies in adopting and complying with the PPIP Act. To contact any of our staff, email us at privacy_nsw@agd.nsw.gov.au, or call (02) 9228 8585.
Wishing you all the best for the New Year,
Chris Puplick
PRIVACY COMMISSIONERREVISED PROCEDURE FOR THE MAKING OF
PRIVACY CODES OF PRACTICE
December 2001
This document replaces the text of ‘Step 6’ and ‘Step 7’, on pages 10-12 of the ‘blue guide’, A Guide to Making Privacy Codes of Practice, Privacy NSW, September 1999.
| STEP 6 | Submit the code to the NSW Privacy Commissioner |
 | |
| Part 1: | Agency notifies Privacy NSW in writing of intent to propose a Code (e.g. to allow X, Y and Z) |
| |
| Part 2: | Privacy NSW provides written commentary to agency on the proposal (e.g. X is reasonable , Y could be done another way, Z is unreasonable). A copy of the agency’s proposal and Privacy NSW’s response is provided to Legislation & Policy Division of Attorney General’s Department. |
| |
| Part 3: | The agency reviews their proposal and amends it (e.g. leaves X as is; fixes Y as recommended; but leaves Z as is). The agency is responsible for ensuring the proposal is in the form of drafting instructions, following the Manual issued by Parliamentary Counsel’s office. |
| |
| Part 4: | Agency seeks the in-principle approval of the Attorney General to submit the revised proposal to the Parliamentary Counsel, in the form of drafting instructions.
Legislation & Policy Division reviews the revised proposal (with the benefit of the Privacy Commissioner’s earlier views) and recommends a course of action to the Attorney General (e.g. approval to draft X and Y only). The Attorney General’s in-principle approval is issued. |
| |
| Part 5: | Agency forwards drafting instructions, along with letter of in-principle approval from the Attorney General, to the Parliamentary Counsel. Parliamentary Counsel will not commence drafting without such approval. |
| |
| Part 6: | The agency is primarily responsible for liaison with Parliamentary Counsel with respect to the drafting process. However the penultimate draft must also be circulated to Privacy NSW for a final review, to ensure the drafting matches the policy intent, and to ensure there is clarity about which Code prevails over another in the event of any inconsistency.
Privacy NSW will then provide final comments to both the agency and the Legislation & Policy Division of Attorney General’s Department. |
| |
| STEP 7 | Send your revised code to the Attorney General for approval |
| The agency submits the draft Code to the Attorney General for final approval and signature. Once the Code is made, it will be published in the Government Gazette, and provided to other sources such as “Austlii”. |
|
|
