Download Need to Know in PDF version
Privacy in our communities - Lost in translation?
Professional Development Day
PPIP Act under the microscope
Exemptions update
What codes and directions do
State-owned corporations
Taking privacy to our communities
Regular features
Privacy in our communities - Lost in Translation?
This quarter we have turned our attention to members of our community who, for different reasons, may find it difficult to understand or to enforce their basic privacy rights. The PPIP Act requires government agencies to notify clients about their privacy rights, though notification can become tricky when dealing with clients from non-English speaking backgrounds or those affected by decision-making disabilities.
The concept of ‘privacy’ is difficult enough in English without even having to delve into cross-cultural translation. That is why we have developed a simple new tool, aimed at assisting agencies in getting a step closer to making sure that people of non-English speaking backgrounds are made aware of their privacy rights. You can learn more about this new project, the Community Language Privacy Notice, in this newsletter.
We have also tried to tackle the complex question of privacy rights for people with decision-making disabilities. Many months in the making, our first best practice guide Privacy and people with decision-making disabilities is hot off the presses. Printed copies are being sent to all public sector agencies, and you can download an electronic copy from our website. See the “Publications” section of this newsletter.
There are quite a few other housekeeping matters in this newsletter for your attention, including the 5-year review of the PPIP Act and its ramifications for all agencies. You will also notice the number of cases being lodged in the
Administrative Decisions Tribunal has grown exponentially over the last couple of years, with 10 new judgments already this financial year. We hope you find our case summaries – and other new initiatives we’ve mentioned above – useful for interpreting and applying the Privacy and Personal Information Protection Act in your day-to-day business.
John Dickie
Acting Privacy Commissioner | Anna Johnston
Deputy Privacy Commissioner |
Date for your diary – Professional Development Day
Privacy Awareness Week this year is 23-27 August 2004. To mark this event, we are organising the first ever Professional Development Day for all Privacy Contact Officers in NSW. The day’s program will include guest speakers, recent developments in NSW privacy laws and workshops on specific areas that affect you in your day-to-day work.
The Professional Development Day will be held on Monday 23 August 2004, and the usual FOI and Privacy Practitioners’ Network meeting will be held on the following morning (Tuesday 24 August). For those of you who are not based in the Sydney-Metropolitan area, you may want to take this opportunity to come to Sydney and meet with your counterparts from the across the State. More details will be available soon.
PPIP Act under the microscope
The PPIP Act is up for its five-year review this year, which will be conducted by the NSW Attorney General’s Department. The review, as with all reviews of new legislation, will determine whether the policy objectives of the Act remain valid, and whether the Act is meeting those objectives.
Privacy Contact Officers and other stakeholders can begin preparing for the review by thinking about your experiences in interpreting and implementing the Act. Points to consider are:
• the IPPs and the exemptions to the IPPs – are they clear? appropriate?
• how useful are the separate public register provisions?
• how appropriate is the enforcement mechanism of internal review followed by external review by the ADT?
• should the roles and responsibilities of the Privacy Contact Officer be formalised in legislation?
• should the Act provide more guidance on how to protect privacy generally, not just personal information?
• how appropriate / useful are the dual roles of Privacy NSW in both providing assistance and advice to agencies, as well as enforcement?
• how could the interaction between the PPIP Act and other legislation (FOI Act, State Records Act, Local Government Act) be simplified?
• are the objectives of the Act - “the protection of personal information”, and “the protection of the privacy of individuals generally” – met by the actual terms of the Act?
The Attorney General’s Department will be defining the terms of reference and the timeframe for submissions, and must report to Parliament by 30 November 2004. We will be keeping you up to date with information about how to make your submissions as soon as it becomes available.
Exemptions update: codes and directions
| A code of practice is a legal instrument that authorises departures from the Information Protection Principles (IPPs) or public register provisions of the PPIP Act. Codes are negotiated with Privacy NSW and approved by the Attorney General’s Department. A code can apply to one or a number of agencies.
A section 41 direction can exempt a NSW public sector agency or agencies from having to comply with an IPP in specific circumstances. Directions are issued by Privacy NSW, with the approval of the Attorney General. Generally, they have a limited life-span, and can apply to one or a number of agencies. |
The Attorney General’s Department and Privacy NSW have decided to cease work on a number of sector-wide codes which were in the pipeline. Given the impending review of the PPIP Act this year, one of the issues to be considered will be the possibility of including exemptions for these activities within the Act itself, as has been done with the HRIP Act.
However this decision does not affect the development of codes that only cover one agency, and we hope to have a number of agency-specific codes finalised this year.
In the meantime, the various section 41 directions temporarily covering all agencies in relation to activities such as
research, investigations and transfers of information, have been extended to 31 December 2004. We will consider the future of those directions once the report of the Act review has been tabled.
Consult the directions on our website.
What codes and directions do
(and what they don’t do)
A code or section 41 direction modifies the application of the IPPs to particular projects or activities of one or more public sector agencies. A code can also modify the application of the public register provisions.
A code or direction does not permit conduct that would otherwise be unlawful. In other words, it does not override any other laws, contracts or agreements which may already affect an agency, such as obligations to protect confidentiality or secrecy.
For example, a section 41 direction which modifies IPPs 11 or 12 (the disclosure principles) doesn’t necessarily provide a new lawful excuse for a disclosure to occur. All it can do is say that the disclosure, if it goes ahead, will not breach the IPPs in the PPIP Act. The disclosure must itself be lawful under other laws or agreements. Therefore, even with a section 41 direction, some disclosures may still be prohibited for other reasons.
Agencies should therefore act cautiously when relying on an exemption to the IPPs, and check that they are not inadvertently breaching other obligations like confidentiality or secrecy under their own legislation, policies or contracts.
State-owned corporations:
sector-wide implications
Public sector agencies need to be aware of the possible impacts on their compliance with the PPIP Act following the creation of a number of new state-owned corporations earlier this year (notably RailCorp and Sydney Ferries).
State-owned corporations are not considered ‘public sector agencies’ in the PPIP Act or the HRIP Act. However, state-owned corporations will be considered as ‘private sector organisations’ under the HRIP Act, which commences in July 2004.
Agencies that collect personal information from, or disclose personal information to, RailCorp or Sydney Ferries will no longer be able to rely on the Direction on Information Transfers between Agencies. This is because the section 41 direction only authorises the transfer of information between public sector agencies, which no longer applies to these new state-owned corporations. In other words, if you have been sharing information with the Department of Transport or State Rail, you can no longer do so with RailCorp under that direction.
We are obviously concerned about the loss of enforceable privacy rights for the employees and clients of these new state-owned corporations. For further clarification or advice, please contact Privacy NSW.
Taking privacy to our communities - New Community Language Privacy Notice
Privacy can be a difficult concept to explain in the best of circumstances, and it does not become any easier when dealing with communities from non-English speaking backgrounds. In many languages, there isn’t a word for “privacy”, or if there is, its connotations are not the same as in English.
In response to a request by one of our Privacy Contact Officers, we have developed a new tool to help NSW public sector agencies reach their clients from non-English speaking backgrounds, and comply with the PPIP Act at the same time. The first in a new series of Privacy Essentials, the Community Language Privacy Notice is a generic privacy notice, translated into the 23 most common NSW community languages. It is available for free for all NSW public sector agencies to use. You can use all 23 translations, or just a selection of the languages which are most appropriate to your audience.
The Community Language Privacy Notice and its accompanying instruction sheet can be downloaded from the Publications page in this website.
Regular Features
Privacy in the News
Health privacy and the Stars
Medical information seems to be next in line in the endless privacy invasions into the lives of the rich and famous. Recently Nicole Kidman’s medical records were stolen from a hospital in Los Angeles. Kidman was forced to release a statement to quash the rumours that quickly followed in which she denounced the “invasion of my medical privacy”. She has since spoken publicly about her experience with pre-cancer screening.
Controversy still continues, however, over the medical records of the late Dr Robert Atkins, inventor of the highly publicised low-carbohydrate, high-protein diet. His medical records, apparently released “in error” by the City of New York, showed that Atkins weighed over 114kg and was suffering heart problems when he died last April. New York’s Medical Examiner’s Office has apologised to the doctor’s widow, who is considering legal action.
(SMH 12/02/04 and the Sunday Telegraph 08/02/2004)
Biometric borders on the rise
The New Year saw the beginning of a new era in airport security as the United States began taking photographs and fingerprints of foreigners arriving at its airports. The “biometric defences” were introduced in 115 airports and 14 ports, and it is planned that visa applicants will have to give a fingerprint and a photograph with the “United States Visitor and Immigrant Status Indicator Technology” (US-VISIT).
Authorities from some countries, as well as numerous privacy and civil liberties groups, have reacted angrily to the initiative.
The Australian Department of Foreign Affairs has confirmed that Australia is working on its own version of this system, with all passports to carry a digital image of the passport holder’s face. All Australian passports issued on or after October 26 will contain biometric indicators to comply with the new American rules.
(The Australian, 07/01/04)
Police privacy scandal
Members of the Victorian Police force may be facing dismissal following a privacy scandal involving improper access to computer files. The scandal broke following an audit in which it was found that up to 35 police officers had used the police computer system – LEAP – to access information on the security guard who is charged with manslaughter over the death of former test cricketer David Hookes. Apparently some senior officers have admitted privately that it is not uncommon to access police files out of curiosity, and sometimes “just because they are bored”.
The Chief Commissioner had announced strict privacy guidelines which restricted access to confidential files without authority in October 2003, following earlier incidents of police improperly accessing the files of candidates in the State election. All police had to sign a statement of responsibility by the end of 2003.
(The Age, 12/02/2004)
From the Tribunal
KD v Registrar, NSW Medical Board [2004] NSWADT 5
Decided: 13 January 2004
This case demonstrates the importance of ensuring that complainants are aware that their information may be disclosed to third parties in the course of investigations carried out by agencies. The Tribunal found that the NSW Medical Board breached Information Protection Principles (IPPs) 11 and 12 when it disclosed certain of the complainant’s information, including health information, to the doctor under investigation. However in its reasoning the Tribunal held that IPPs 10 and 11 generally only apply to information that is ‘collected’ by an agency, and should be read subject to the exemption in section 4(5) of the PPIP Act relating to ‘unsolicited’ information. The Privacy Commissioner submitted that unsolicited information is subject to the protections of IPPs 5-12 once the information is held by an agency.
Despite this decision, we continue to advise agencies to aim for compliance with IPPs 5-12 in relation to all personal information held by the agency, whether or not it could be described as ‘unsolicited’. This approach represents both best privacy practice and a sensible risk management approach. We also recommend that agencies only apply the unsolicited exemption cautiously, as it may be difficult to prove that a particular piece of information was unsolicited, particularly if the agency is set up to receive information from members of the public.
GR v Department of Housing [2002] NSWADT 268
Decided: 17 December 2003
This case highlights the need for agencies to comply with the Information Protection Principles when responding to media inquiries. It also suggests the importance of clarifying the scope of a person’s consent before releasing their personal information to third parties. GR, a tenant of the Department of Housing, called a talk back radio station to complain about an incident involving the Department. The radio station rang the Department’s media unit (off-air) to check the veracity of GR’s complaint. The Department’s media officer described GR to the radio station as a ‘known trouble-maker’, and disclosed other unrelated information about GR. GR did not consent to these disclosures and the Tribunal held that the Department breached IPP 11.
GA and others v Department of Education and Training and NSW Police [2004] NSWADT 22
Decided: 17 December 2003
This case dealt with the limits of the Tribunal’s jurisdiction to consider conduct that was not part of the prior internal review. The Tribunal held that it would be unfair to allow the applicants to raise the issue of how the Department had collected their information, when this was not raised in their internal review application. The Tribunal also held that the exemption in section 4(3)(h), for information arising out of a complaint under Part 8A of the Police Act, covered information about applicants provided to the Police by the Department.
By way of contrast in JD v NSW Health [2004] NSWADT 7 Decided: 15 January 2004 the Tribunal rejected the agency’s objection to the applicant raising new issues before the Tribunal. The applicant’s original application had been sufficiently broadly expressed to cover the way the agency used the information even though this aspect of its conduct had not been dealt with in the internal review.
Chapman & Anor v NSW Police [2004] NSWADT 3
Decided: 12 January 2004
This case also dealt with the exemption under section 4(3)(h) of the PPIP Act for information arising out of a complaint under Part 8A of the Police Act. The Tribunal held that the exemption covered a disclosure that the Police investigating officer made to the employer of one of the applicants in the course of investigating the complaint. This recognises that sometimes an agency needs to disclose information in order to collect it. However the finding reflects the wording of the exemption and it is unclear how far the principle can be applied in other circumstances. The Tribunal also noted, without deciding, that the father of the individual whose information was disclosed could be seen as an aggrieved party for the purpose of making an application for review under Part 5 of the PPIP Act.
To read the full Privacy NSW case notes, see the Case Law in this website.
Publications
Privacy and people with decision-making disabilities
The Best Practice Guide is now available for downloading from our web site. A hard copy will also be sent to all NSW public sector agencies, and further copies will be available at a small cost from Privacy NSW.
See the Publications page in this website.
Health Privacy Principles – 2 New Fact Sheets
In preparation for the HRIP Act, we have published 2 new fact sheets on the Health Privacy Principles (HPPs) which describe the basic principles of the HRIP Act. As with the IPPs, we have created two fact sheets, one written for organisations in terms of their responsibilities and another for the general public in terms of their rights.
See our Publications page in this website.
Community Language Privacy Notice
See the article in this newsletter for more information about this new “Privacy Essential”. Download the Community Language Privacy Notice from the Publications page in this webiste.
What’s On
26 March 2004
Human Research Ethics Committee Training Day, NSW Health, Sydney
29 March 2004
Roundtable on Capacity, Wesley Centre, Sydney
14-15 April 2004
Privacy Agencies of Australia, New Zealand and Hong Kong (PANZA+) Meeting, Sydney
17-21 May 2004
National Law Week
17 May 2004
Law Week Fair at the NSW State Library, Sydney
20 May 2004
FOI and Privacy Practitioners’ Network Meeting, Parliamentary Theatrette, Sydney
