Download the PDF version

Past trends, future prospects
Health Records Statutory Guidelines
Guidelines on Privacy and People with Decision-Making Disabilities
Internal Review – What are they complaining about?
Privacy Commissioner’s role in Tribunal supported by Appeal Panel
Regular features:

• Privacy in the News
• From the Tribunal
• Publications
• What's On

Past trends, future prospects

The last few months have been busy ones for us at Privacy NSW. In September the International Conference of Data Protection and Privacy Commissioners in Sydney, which we co-hosted, examined a wide variety of hot privacy topics from around the world, from biometrics and genetics, to using technology to support a culture of privacy in your organisation.

In October the Privacy and Personal Information Protection Amendment Bill went before NSW Parliament. Last week Parliament rose for the year without debating the Bill in the Upper House. In 2004 the 5 year statutory review of the PPIP Act will commence in earnest, so no doubt next year will provide further opportunities for all stakeholders to debate whether the objectives of the PPIP Act are being met, and if not what is the best model for reform.

Privacy NSW has also been looking back at the trends in privacy for 2002-03, as you will see in this edition on page 2. One emerging area is the significant body of privacy case law being developed by the Administrative Decisions Tribunal. Not only is this helping us all understand the PPIP Act a little better in its application, but also clarifying the role of the Privacy Commissioner in the Tribunal (see page 3).

2004 will also bring the commencement of the Health Records & Information Privacy Act, and we will be bringing you some new publications and education activities, to help everyone prepare for the new Act.

I would like to take this opportunity to wish you all the best for the holiday season. I look forward to working with you in 2004.

Regards,
Anna Johnston
Deputy Privacy Commissioner

Health Records Statutory Guidelines

NEWS FLASH – HRIP Act will start on 1 July 2004!

Privacy NSW and NSW Health are working together to prepare for the commencement of the Health Records and Information Privacy Act on 1 July 2004. As part of this joint effort, we are preparing statutory guidelines dealing specifically with some of the exemptions in the 15 Health Privacy Principles (HPPs). A first version of the guidelines has recently been out for public consultation.

These statutory guidelines do not apply to everyone covered by the Act – only organisations seeking to rely on the exemptions in the HPPs for the management of health services, training, research and/or third party collection need to comply. We have prepared a Fact Sheet to help clarify this point which you can download from our website (see “Publications” below).

NSW Health and Privacy NSW are also working on other plain English guides and manuals to help you understand this Act.

What is a Statutory Guideline? A statutory guideline is more than a user manual or plain English guide. It is a document which is prepared in order to accompany an Act and to expand on points raised in an Act. In this case, it defines the scope of some of the exemptions in the HPPs. It sets out how the exemption applies, and what you need to do in order to comply with the exemption. Statutory guidelines are therefore binding, as opposed to just a helping hand.

Guidelines on Privacy and People with Decision-Making Disabilities

Privacy NSW is in the final stages of drafting the Guidelines on Privacy and People with Decision-Making Disabilities (formerly the Guidelines on Consent and Capacity). We would particularly like to thank those who contributed to the consultation evening and through submissions on earlier drafts.

The guidelines will clarify and give guidance on complex issues that arise in protecting the privacy of adults who may lack “capacity” due to a disability or injury, such as a mental illness or an acquired brain injury. Privacy NSW is responding to the needs of public sector agencies and the community to deal with this complex question.

The final version of the Guidelines will soon be published on our website. Check the “What’s New” page for more information.

Internal Review – What are they complaining about?

Who is making privacy complaints in NSW? What are they complaining about? We’ve been looking at last year’s trends in Internal Reviews across all public sector agencies, and they can tell us what the danger areas are and also help us avoid them.

Most likely agencies to receive an Internal Review

Agencies in the human services sector feature prominently, followed by the transport sector, then local government and the justice sector, and then regulatory and central agencies.

Who is complaining?

The most likely sources of Internal Reviews are clients of any particular agency. This represents a reversal in the trend from the first year that Internal Reviews were available, in which employees of agencies were the most likely category to complain. This pattern may have been a natural result of the introduction of the legislation, in that public servants heard about the PPIP Act well before members of the public did.

What are they complaining about?

The most common types of information or practice at issue during 2002-03 were personal contact details, health records, customer/membership and student records, and criminal records. Compared to previous years, the number of applications dealing with employment records, and local government and land title records, has diminished.

When are the problems occurring? By far the problem spots are at the point of collection and then when the information is being disclosed. Other issues such as data security and first party access rights are the source of fewer complaints.

What’s happening in the Internal Reviews?

Of the 73 Internal Review applications finalised in 2002-03, in 65 cases an Internal Review was completed by the agency concerned. In only 2 cases did the complainant exercise their option of going straight to the Administrative Decisions Tribunal before the Internal Review was complete (i.e. if the review has taken more than 60 days already).

Of the 65 cases reviewed, a breach of the IPPs was found by the agency in 18 cases (28%).

For those 47 cases where no breach was found, in only a few cases was the alleged conduct found never to have occurred, and in a quarter of cases the evidence was arguable. In 42% of cases the conduct was found to have occurred, but the conduct complied with the IPPs. In a further 17% of cases the conduct was found to have occurred, it was not in compliance with the IPPs, but nonetheless that non-compliance was authorised by a lawful exemption.

In terms of outcomes for the 18 cases in which a breach of the IPPs was found, often multiple remedies were offered. The remedies offered to the complainant included apologies, rectification, and financial compensation. In a third of cases the Internal Review resulted in a change in practices in the agency, and in over half the cases re-training of staff was also promised as a result.

What is an Internal Review? An Internal Review is an internal investigation that a government agency is required to conduct when an individual makes a privacy complaint. Under Part 5 of the PPIP Act individuals may seek an Internal Review by an agency where they believe there has been ‘contravention’ of an Information Protection Principle, a Public Register provision or a Privacy Code of Practice made under the Act. The Privacy Commissioner has an oversight role in the conduct of Internal Reviews. We have developed a checklist which explains how to conduct an Internal Review which can be downloaded from our website. If you have any questions, please call us on (02) 9228 8585

There will be comprehensive analysis of the Internal Reviews for 2002-03 in our next Annual Report.

Privacy Commissioner’s role in Tribunal supported by Appeal Panel

A recent Appeal Panel judgment (Macquarie University v FM) has supported the view that the role of the Privacy Commissioner before the Administrative Decisions Tribunal includes both original hearings and any matters that go on appeal to the Appeal Panel.

The Appeal Panel stated that this interpretation is:

consistent with the beneficial objects of this landmark piece of human rights legislation and the central role given to the Privacy Commissioner in the legislation to make it work.

We may provide limited assistance to parties where this is consistent with the Commissioner’s role of assisting the Tribunal in a review of conduct under the PPIP Act. For example, staff of Privacy NSW may assist the parties and the Tribunal to clarify issues, including whether there are any Privacy Codes of Practice or directions made under section 41 of the PPIP Act that may be relevant to the particular case.

We recognise that our submissions may indirectly strengthen the case of one or other party. We therefore need to carefully consider the circumstances in which it is appropriate for the Privacy Commissioner to exercise his right to appear. We are currently developing a Protocol which will spell out our policy and approach to appearing in the Tribunal in more detail, which will help clarify our role for all parties appearing in the Tribunal.

The Administrative Decisions Tribunal can conduct a review of a public sector agency’s conduct under Part 5 of the PPIP Act. Cases can only be brought to the Tribunal by applicants who are not satisfied with the results of their Internal Review application.

In addition to the parties to the case (the applicant and the respondent agency), the Privacy Commissioner has a right to appear and be heard in any PPIP Act proceedings before the Tribunal. The Privacy Commissioner is usually represented by one of Privacy NSW’s legal officers.

Regular features:

• Privacy in the News

The appropriation of your identity by someone else is a grave form of privacy invasion. Recent email scams have been hitting large Australian organisations such as Westpac, the Commonwealth Bank and eBay. Known as ‘phishing’, millions of scam emails have been sent trying to fool users into giving personal details, bank account details and PIN numbers.

Identity fraud and identity theft, including Internet identity scams, is a growing crime industry with costs to society reaching the millions of dollars. A recent report by SIRCA found that identity fraud in 2001-02 cost Australia an estimated $1.1 billion.

The challenge for government is how to uphold privacy by protecting people from identity theft, without infringing the privacy of the same people that we are trying to protect?

(AFR, 05/09/03 and SMH, 12/09/03. See also Indetity Fraud in Australia: An Evaluation of its Nature, Cost and Extent, Suresh Cuganesan and David Lacey, SIRCA, Sydney 2003.)

News from the Federal Privacy Commissioner

The Federal Privacy Commissioner, Malcom Crompton, has announced that he will not seek re-appointment when his term expires in April next year. Over the last 4 ½ years, his Office has overseen the extension of Federal privacy laws to the private sector in December 2001.

According to their annual report, last year the Office of the Federal Privacy Commissioner received 21,290 telephone inquiries and almost 1100 complaints. Almost a third of the closed complaints related to the improper disclosure of personal information.

(AFR, 19/03/03 & SMH, 04/11/03)

The pant’s police

We couldn’t go past this one for invasion of privacy! The Age recently reported on “Teen Screen”, a new test kit which has been designed to help parents track their daughter’s sexual activities. The kit uses a semen detection system which identifies semen on undergarments or other clothing.

The product is also being marketed as an infidelity kit for adults in Europe and the USA, though it is suggested that the kit should not be used on teenage boys “given their healthy interest in solitary sperm production”.

Australian specialists in adolescents have been horrified by the test, stating that trust, respect and open communication are a much better way to deal with parent-teenage relationships.

Paul Chadwick, Victorian Privacy Commissioner, recently stated “As genetic knowledge grows, more and more products and services can be expected to be marketed, and consumers will need to ask themselves whether the claimed benefits of this or that offering really do outweigh the potential harm they might inflict on relationships. Technologies come and go, but values like trust and respect for privacy endure.”

(The Age, 06/08/03 and Privacy Victoria)

• From the Tribunal

HW (a doctor) was a defendant in a criminal trial on a charge of culpable driving. During the trial, a police officer assisting the Director of Public Prosecutions (DPP) prepared an invalid subpoena and presented it to the NSW Medical Board and HW’s employer, an Area Health Service.

The Medical Board and the Area Health Service provided information about HW to the police officer, including details of HW’s personal medical history. The police officer handed the information directly to the prosecution and defence teams in court, instead of returning it to the court in a sealed envelope. As a result, sensitive information about HW became known to members of the prosecution and defence teams, and also allegedly to HW’s father who sat in court when the information was exchanged.

The subpoena was unlawful and HW subsequently challenged both the Police and the DPP under the PPIP Act for breaching the IPPs. The Tribunal found that the Police did not breach any IPPs because the exemption from compliance with the IPPs in section 27 applies generally to the Police’s ‘core functions’, as distinct from ‘administrative and educative functions’. It also found that the DPP did not breach most of the IPPs on the basis of exemptions relating to law enforcement under section 23, although the Tribunal reserved its decision in relation to IPP 4 (whether or not the collection was information is relevant, accurate, up-to-date and not excessive).

In summing up, President O’Connor said that:

Hopefully (the detailed Internal Reviews conducted by the Police and the DPP) have contributed in the future to greater rigour in the process of collecting sensitive information by subpoena and ensuring that strict protocols are observed in keeping subpoenaed material secure and presenting it direct to the court or tribunal.

Vice Chancellor, Macquarie University v FM

[2003] NSWADTAP 43 - Decided: 23 September 2003

Macquarie University appealed the Tribunal’s decision in FM v Macquarie University [2003] NSWADT 78 about Macquarie University’s disclosure of personal information about a student (FM) to the University of NSW (see the July 2003 edition of our Newsletter). The appeal centered on: the role of the Privacy Commissioner in the Tribunal; the definition of personal information; and the requirements for consent to non-compliance with IPP11.

There are some key points to note regarding the PPIP Act from the Tribunal’s judgment:

• The right of the Privacy Commissioner to appear and be heard in any PPIP Act proceedings before the Tribunal extends to appeal proceedings; the Privacy Commissioner is not to be treated as a party to proceedings.

• The definition of personal information under section 4 is not limited to information that is recorded in a material form; that is, in certain circumstances it extends to non-recorded information which is “acquired in an official capacity by the officer, is being used for official purposes and clearly is relevant to the organisation”.

• The Tribunal will strictly apply the requirement for express consent in section 26(2) in relation to disclosure.

The Ombudsman v Koopman & Anor [2003] NSWCA 277 – Decided: 29 September 2003

This is the first instance in which the scope of the PPIP Act has been considered by a superior court. The Ombudsman appealed the ADT’s decision of CP v The Ombudsman (20 June 2002) to the Court of Appeal, arguing that the Tribunal did not have jurisdiction under the PPIP Act to review its conduct by virtue of section 35A of the Ombudsman Act 1974, which provides that “civil and criminal proceedings” shall not be brought against the Ombudsman and its officers without the leave of the Supreme Court.

The Court of Appeal held that both Acts can exist together on the basis that a review of conduct of the Ombudsman’s Office under the PPIP Act first requires the leave of the Supreme Court. The Court did not review earlier decisions on the scope of s35A, or provide detailed reasons for rejecting the arguments for jurisdiction that had persuaded the Tribunal to waive the requirement for a prior application to the Supreme Court.

For our case summaries and links to the full text of judgments, see our website.

• Publications

Our Annual Reports for the last few years are now available on-line in electronic versions from our website.

Your Privacy – Protecting Privacy in NSW

We have recently produced a simple brochure for members of the public which briefly explains who we are and what the PPIP Act is. You can download a copy from our website or if you would like to receive a limited number of hard copies please send an email to privacy_nsw@agd.nsw.gov.au including your postal address and how many copies you would like.

HRIP Act Guidelines & Fact Sheet

Keep an eye on the HRIP Act page on our web site for the latest materials on the HRIP Act, such as the draft statutory guidelines and their accompanying Fact Sheet. See our website.

Privacy Training Program – Troubleshooting webpage

The Department of Commerce has created a web site which contains technical troubleshooting information for the Privacy Training Program (the same information was sent by email to all Privacy Contact Officers in a News Alert in November 2003).
See http://www.oict.nsw.gov.au/pages/13.1.12.privacy_1.htm

• What’s on

Tentative dates for next year’s FOI and Privacy Practitioners' Network Meetings:

- 19 February 2004
- 20 May 2004
- Dates for the August meeting to be confirmed
- 18 November 2004

We know that most of you can’t make it to all of these meeting. Stay tuned next year for more information about one event not to miss.

24-27 February 2004 - Electronic Documents and Records Management, Duxton Hotel Melbourne. See http://www.iir.com.au/telecoms