For the Media - Privacy NSW : Lawlink NSW

privacynsw website

Where am I now? Lawlink > privacynsw > For the Media	Print page
For the Media Introduction What is privacy? What are the IPPs? What is personal information? “Because of the Privacy Act …” Some helpful hints for journalists Assessing privacy implications of new government initiatives About Privacy NSW Staff and budget Operations Advice case studies Complaint case studies Media Releases Privacy reviews Privacy Awareness Week Introduction This section explains briefly why Privacy NSW was created, who it deals with, how it works and the kind of results it seeks to achieve. Privacy NSW is the Office of the NSW Privacy Commissioner, established on 1 February 1999 under the Privacy and Personal Information Protection Act 1998. The role of Privacy NSW is to: educate the people of NSW about the meaning and value of privacy and to assist them in the protection and enhancement of that privacy promote the adoption of world’s best privacy practice by all holders of personal data, particularly NSW Government agencies, thereby promoting an increased level of trust in the community, especially between people and their government. Privacy NSW protects privacy in the following ways: by advising individuals, government agencies, business and other organisations on what steps they should take to ensure that the right to privacy is protected by researching significant developments in policy, law and technology which may have an impact on privacy and by making reports and recommendations to relevant authorities by answering enquiries and educating the community about privacy issues by advising people of possible remedies for breaches of their privacy by receiving, investigating and conciliating complaints about breaches of privacy by overseeing the conduct of internal reviews into privacy complaints by appearing in the Administrative Decisions Tribunal in the review of privacy cases. What Is Privacy? Privacy has sometimes been described as: the right to be left alone, or the right to exercise control over one’s personal information, or a set of conditions necessary to protect our individual dignity and autonomy. We often think about privacy in different ways, for example: physical privacy - such as bag searching, use of our DNA informational privacy – the way in which governments or organisations handle our personal information such as our age, address, sexual preference and so on. freedom from excessive surveillance – our right to go about our daily lives without being surveilled or have all our actions caught on camera. More>> What are the information protection principles? The charter of Privacy NSW is to assist organisations to follow privacy best practice and the standards set out in privacy laws. The key to the NSW law is set out in the 12 information protection principles. These are privacy standards that regulate the way NSW public sector agencies must deal with personal information. They are summarised below: Collection 1. Lawful – only collect personal information for a lawful purpose. Only collect the information if it is directly related to the agency’s activities and necessary for that purpose. 2. Direct – only collect information directly from the person concerned, unless they have given consent otherwise. Parents and guardians can give consent for minors. 3. Open – inform the person as to what information is being collected, why it is being collected and who will be storing and using it. Agencies must also inform the person how they can see and correct this information. 4. Relevant – ensure that the information is relevant, accurate, not excessive and up-to-date. Ensure that the collection does not unreasonably intrude into the personal affairs of the individual. Storage 5. Secure – ensure that personal information is stored securely, not kept any longer than necessary, and disposed of appropriately. Information should be protected from unauthorised access, use or disclosure. Access 6.Transparent – explain to the individual what personal information about them is being stored, why it is being used and any rights they have to access it. 7. Accessible – allow people to access their personal information without unreasonable delay or expense. 8. Correct - allow people to update, correct or amend their personal information where necessary. Use 9. Accurate – ensure that the personal information is relevant and accurate before using it. 10. Limited – only use personal information for the purpose for which it was collected, for a directly related purpose, or for a purpose to which the individual has given consent. Personal information can be used without consent in order to deal with a serious and imminent threat to any person’s health or safety. Disclosure 11. Restricted – only disclose personal information if the person has given their consent or if they were informed at the time of collection that it would be disclosed in this way. You can only disclose the information for a related purpose if you believe the person concerned is not likely to object. Personal information can be disclosed without consent in order to deal with a serious and imminent threat to any person’s health or safety. 12. Safeguarded – do not disclose sensitive personal information without consent, for example, information about a person's ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities or trade union membership. You can only disclose sensitive information without consent in order to deal with a serious and imminent threat to any person’s health or safety. What is personal information? The Privacy and Personal Information Protection Act 1998 (NSW) defines personal information as any information or opinion that relates to an identifiable person. This definition covers not only traditional areas of data storage, such as paper files, but also includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics. The Act excludes certain types of information from the definition of personal information, such as: information contained in a publicly available publication information about an individual’s suitability for public sector employment information about people who have been dead for more than 30 years. However from 1 September 2004 health information will be regulated by a new Act. More about NSW Privacy Laws>> “Because Of The Privacy Act" There is widespread misapprehension about supposed restrictions on reporting incidents and events because of the provisions of ‘the Privacy Act’. Organisations sometimes claim it is because of ‘privacy law’ that they are not permitted to disclose information to the media. Some helpful hints for journalists If you are wary of a claim that information is being withheld because of privacy law restrictions: ask your source or contact what section of which Act he or she is relying upon ask whether all of the exemptions which accompany the Act and which are sometimes set out in the Act have been considered. For example, operational law enforcement activities are exempt from the NSW privacy law check with the Privacy Commissioner Assessing the privacy implications of new government initiatives When examining new proposals or laws, the following questions may help point out whether the proposals or the laws comply with privacy principles: is it likely to increase the amount of personal information collected by government / business does it propose a new use for an existing source of personal information does it propose sharing, linking or matching personal information between different organisations does it propose new powers of entry, search or seizure does it propose surveillance as a method of achieving a policy or law enforcement objective does it create an identification system or require a new use of existing forms of ID is it being proposed by the makers or sellers of a new technology, looking for a market About Privacy NSW Staff and Budget Privacy NSW consists of the Privacy Commissioner, the Privacy Services Manager and seven other staff. The office deals with legal and policy matters, compliance and investigations, education and publications and office management. It has an operating budget of $0.92 million in 2003-04. Operations Workload Privacy NSW currently receives, per annum, about: 3,000 telephone, email and drop-in enquiries 200 formal requests for advice 200 formal complaints for investigation 100 internal reviews for oversight 40 new cases lodged in the Administrative Decisions Tribunal This core workload has increased 62% since 2000-01. These numbers are expected to rise when new health privacy laws commence on 1 September 2004. More>> Privacy Network Privacy NSW is part of a network of similar agencies – Federal and State – engaged in addressing these privacy issues. If complaints or inquiries come to Privacy NSW which do not come within the boundaries of our legislation, we refer those making enquiries and complaints to the appropriate agency. Advice Case Studies Our advice function includes: advising public sector agencies on how to comply with existing legislation commenting on new proposals, projects or initiatives in terms of their privacy impacts commenting on proposed new laws, and on reviews of existing laws, in terms of their privacy impacts The following case studies from our 2002-03 annual report highlight the nature of this work: Courts in the Spotlight The Disposal of Human Tissue Guthrie Cards Privacy for Children The Gene Genie Courts in the Spotlight There are often tensions surrounding the protection of individuals’ privacy and the media's pursuit of informative and interesting material. However privacy and journalism are not incompatible. Both the protection of privacy and a free press are essential to upholding democratic values and rights such as freedom of speech. In 2002-03, Privacy NSW provided advice to the Attorney General's Department on two proposals to film “reality TV” documentaries inside NSW courts. Documentary films can demystify how our courts and tribunals operate. However filming must be done in an accountable manner that protects the privacy and dignity of all concerned. Filming inside sensitive environments such as courts raises even more privacy concerns than other documentaries. This is because witnesses are forced by law to tell the truth and may need to reveal damaging or embarrassing information about themselves. The public broadcast of this information may have serious consequences for a person’s relationship with family, friends, employer, acquaintances and others. Privacy NSW advised the Attorney General’s Department that filming inside courts should only proceed with the informed consent of all individuals who might be affected by the broadcast. Our advice stressed that relevant professional organisations - like the police and lawyers who appear regularly in court - must be consulted about their role in filming. However of more concern was the need to ensure adequate privacy protection for the accused, witnesses, jurors, victims, and their relatives and friends in court. These individuals may be vulnerable, are the least likely to have professional representation, and may have the most to lose if they are improperly filmed in court. The Attorney General’s Department did not approve one proposal, to film inside local courts, as the production company would not agree to the recommended levels of privacy protection. However a proposal to film inside the Coroner’s Court, which incorporated more rigorous privacy protections for the most vulnerable individuals, was accepted. The results were shown on ABC TV as A Case for the Coroner. The Disposal of Human Tissue Following a recommendation by the Australian Health Ethics Committee on the ethical disposal of human tissue and organs collected at autopsy, we were asked to advise NSW Health on their procedures for consulting with families about disposal. The Department proposed providing information about the deceased to immediate family members to ascertain their views about how retained material should be disposed of. This could include health information to assist their decision-making. The collection of information by NSW Health from other agencies and the disclosure of health information about a person to family members would normally require the person's consent. In the case of information about a deceased person, obviously the person is unable to give their consent. Information about recently deceased people is included in the PPIP Act's definition of personal information, as is body tissue itself. While supporting the aims of the project we considered that the current law, including NSW Health’s Privacy Code of Practice, would not have permitted the proposed disclosure. We advised that the Privacy Commissioner was prepared to make a direction to expedite the family consultation process. We also discussed the need for an approach that would minimise the likelihood of further distress to bereaved family members. We also advised that cultural and other sensitivities needed to be taken into account. The Privacy Commissioner made a section 41 Direction on 24 February 2003 to support the new procedures. Guthrie Cards As a result of a voir dire hearing in the Supreme Court in April 2001 on the admissibility of DNA evidence, we were made aware that DNA from a Guthrie card collected for NSW Health’s Newborn Screening Program had been used to identify a missing person who was presumed deceased. As this coincided with the Australian Law Reform Commission’s inquiry into the protection of genetic information (see below), we made inquiries with NSW Health as to how routine such investigations were. Later in 2001 we were invited to comment on a Protocol to allow NSW Police to access Guthrie cards for limited purposes. Blood samples from newborns have been collected and stored on Guthrie cards in NSW for more than 25 years. They are used to screen newborn children for genetic defects and to support research into genetic conditions. NSW Health has assured parents that the cards will be stored confidentially and securely. We were concerned to establish that the introduction of very broad exemptions in the PPIP Act for disclosure of information for law enforcement should not lessen this high level of security and confidentiality. We were also concerned that their availability should not provide a way around the legal safeguards for collection of DNA samples under the Crimes (Forensic Procedures) Act. The Protocol recognises that Police may need access to Guthrie cards, and lays down procedures for seeking access. It emphasises that in most circumstances this access should be limited to identification of bodies and identifying crime scene remains where a victim is missing or presumed to be dead. In both instances consent should be sought from next of kin. After the Protocol was finalised in July 2002 we became aware of some public concern that the Protocol was designed to extend Police access to the Guthrie card collection, rather than its intended objective of establishing accountable collection for a limited range of purposes. Consequently we suggested that it would be desirable to make the Protocol public. In December 2002 NSW Health advised us that a copy of the protocol had been placed on its website. We then linked to the Protocol and publicised its availability from the Privacy NSW website. Privacy for Children We sometimes assume that because children rely on their parents for basic decision-making, including the information needed to make decisions, that privacy does not apply to children. Sometimes this leads public sector agencies and other organisations to assume that they are free to use personal information about children without reference to them and without their consent. Children are not excluded from the requirements of the PPIP Act. Section 9 allows parents or guardians to consent to the collection of children’s information from third parties and there are a number of additional exemptions in Codes and Directions made under the PPIP Act. It is important to recognise that children are entitled to the same basic privacy rights as adults, except in circumstances where such rights need to be modified to reflect their developing capacity. A number of advice matters during the year throw light on the issue of children’s privacy. We were asked for advice when a public sector agency sought an exemption from the Act to allow it to use photographs of child clients in publicity material without seeking consent. We took the view that such an exemption was unjustified. We also advised another agency on similar issues relating to the use of photographs of child visitors. And a third incident, which became the subject of an Internal Review, highlighted children’s privacy when a photograph of a child victim of a dog attack was supplied by the local council to the media, without consent from either the child or their parents. As a result of these issues we had discussions with the Commission for Children and Young People and agreed to work with them on guidelines for children’s privacy. This has become a project for the next year. The use of information about school children raises significant privacy issues. Our advice was sought on a proposal for details of all school and TAFE students to be provided to the Department of Transport, to monitor users of bus and train passes under the School Student Transport Scheme. We pointed out that such a request ought to comply with a range of obligations under the PPIP Act affecting both the Department of Education and Training as the agency holding the information, and the Department of Transport as the agency collecting it. We were also asked for advice on the overlapping responsibilities of public schools under the PPIP Act and of private sector transport operators subject to the Federal Privacy Act. A similar issue involved the development of a protocol between the Department of Education and Training and NSW Police for sharing information about students as a means of reducing or minimising crime risks in schools. Our advice pointed out that under the law enforcement exemption in section 23 of the PPIP Act the Department could disclose information which had a direct relationship to possible offences. Sharing information about risks relied on provisions of the Department’s Privacy Code of Practice which permit the collection and disclosure of personal information where considered necessary to “promote a safe and disciplined learning environment”. We warned that these exemptions should not be interpreted so broadly as to effectively deny students any privacy rights. We suggested that the protocol should provide the opportunity for a more detailed description of how the exemptions should be applied. Another issue we were asked to comment on involved the development of a protocol to resolve problems about the behaviour of young people in shopping centres. This would involve collecting photographs of young people who had come to the attention of security staff. We pointed out the need for a protocol to recognise existing laws and procedures affecting retailers, including the Federal Privacy Act. Further development of the protocol needed to balance the interests of children and young people with those of retailers and centre management, including their right to enter and move around shopping centres without being forced to provide identification. On a somewhat different note, in July 2002 the Acting Privacy Commissioner released a position paper on Child Offenders and Privacy. This was in response to heated public discussion about identifying juvenile offenders in high profile sexual offence trials. The paper supported current arrangements under the Children (Criminal Proceedings) Act which require the sentencing judge to balance the principles of open justice against prejudice to the child offender when determining whether to disclose the identity of people convicted of serious indictable offences committed when they were children. The paper opposed attempts to remove this protection. The Gene Genie Following on from their Issues Paper in March 2002 (see our 2001-02 Annual Report), the Australian Law Reform Commission and the Australian Health Ethics Committee of the National Health and Medical Research Council released a Discussion Paper in August 2002 on the protection of human genetic information. In December 2002 Privacy NSW made an extensive submission on the Discussion Paper. A copy of our submission can be downloaded from our website. The final report, 1200 pages long and containing 144 recommendations, was released in May 2003. The report, Essentially Yours: The Protection of Human Genetic Information in Australia, is the product of two years of inquiry, research and widespread public consultation. It has been well received by stakeholders such as family lawyers, geneticists, life insurance companies, as well as in the wider community. Essentially Yours aims to strike a balance between scientific progress and the protection of privacy. Our views and advice were taken into account by the ALRC / AHEC, especially in sections dealing with ‘Information and Health Privacy Law’, and ‘Privacy of Genetic Samples’. The report recommends that: • DNA parentage testing should be conducted only with the consent of both parents, or with a court order • Employers should not be permitted to collect or use genetic information - except in rare circumstances • Privacy laws should be harmonized and tailored to address the particular challenges of human genetic information • A standing Human Genetics Commission of Australia should be established to provide high-level, technical and strategic advice. Complaint Case Studies A number of functions and activities fall under the broad charter of Privacy NSW to ensure ‘the protection of privacy’. One function is the investigation and conciliation of privacy complaints. The following case studies from our 2002-03 annual report illustrate the nature of that work: Criminal Identity Managing Property Privately Privacy for Sale Criminal Identity Privacy NSW received a complaint relating to the accuracy of criminal records held by the NSW Police Service. The complaint highlighted the privacy impacts of identity theft and identity fraud, and the consequences that can arise when an individual assumes another person’s identity. The complainant (Mr A) notified us that he discovered that another individual (Mr B) had been using Mr A’s name. Mr B had been arrested and charged by NSW Police on several occasions with various offences and had given his name to the Police as Mr A. Mr B had also been imprisoned. As a result, Mr A received communications from other government agencies which incorrectly stated that he had been charged with a number of offences and had recently been in prison. Mr A complained to the NSW Police Service. He was informed that because Mr B had given a false name when he was first charged, the Police Service criminal record system would always default to the name given on the first charge. In this case Mr A’s name would head the criminal record for Mr B, even though the Police subsequently discovered Mr B’s real name. This effectively meant that Mr B’s criminal record was recorded under Mr A’s name but with a notation that his real name, Mr B, was an “alias”, and included a warning that he should be charged under his real name Mr B. Mr A complained to Privacy NSW that the Police Service was in breach of IPPs 8 and 9 (sections 15 and 16 of the PPIP Act), which provide that a public sector agency must allow you to update, correct or amend your personal information, and must make sure that your personal information is relevant, accurate, up to date and not misleading before using it. Although section 27 of the PPIP Act provides broad exemptions for the NSW Police and other law enforcement agencies from complying with the IPPs except in relation to their educative and administrative functions, Privacy NSW contacted NSW Police on Mr A’s behalf to investigate the matter. Privacy NSW was concerned that, as a result of NSW Police’s policies and procedures, the privacy impacts experienced by Mr A could always occur where an individual provided a false name to the police when first arrested, notwithstanding that the police later discovered the true identity of the individual. As a result an innocent member of the public could find that their name would remain on Police records and databases, implying that they had a criminal record, and that they went by an alias. Individuals could possibly find themselves under scrutiny for crimes which they have not committed, or if a dispute ever arose as to their identity. Furthermore, incorrect details of arrests, criminal record or other related information could also be reproduced to other organisations. As a result of Mr A’s complaint, the NSW Police agreed to take steps to establish a computerised system that would allow for a change in the “record name” of a criminal history in order to correct NSW Police records. This action would ensure that Mr B’s criminal history would be recorded under his own name, and not that of the complainant Mr A. NSW Police also agreed to establish a protocol to provide future guidance as to when a criminal record may be changed. Managing Property Privately A complaint was made by an individual (Mr B) against a real estate agent. The real estate agent had been the managing agent of a property which the complainant had recently leased. At the end of the lease there were some outstanding issues between the parties, so Mr B requested that further contact be made by either his mobile telephone or new address, which he provided to the agent. Contrary to Mr B’s instructions, the real estate agent proceeded to contact Mr B at his place of work. On one occasion a letter was left at the reception desk. On another occasion a fax was sent, not marked private or confidential. Mr B was concerned that his private information was exposed to his colleagues during the working day. Since December 2001 the Federal Privacy Act 1988 has regulated many private businesses, such as real estate agents. However, there is an exemption for businesses which have a turnover of less than $3 million per year. In this case Mr B was advised by the Office of the Federal Privacy Commissioner that his complaint was outside the Federal Act’s jurisdiction. On this basis Privacy NSW accepted the complaint under Part 4 of the PPIP Act. Privacy NSW asked the real estate agent to explain why it had sent correspondence to Mr B’s place of work. The real estate agent responded that it contacted Mr B at work because it had no other way to contact him. The agent also advised that it had apologised to Mr B and that the matter had been amicably resolved. Mr B did not take the complaint any further. Privacy for Sale Mr C had changed his name by dropping his first name. He later received a letter from a real estate agent, addressed to his previous name. He was told by the agent that the information had come from RP Data and so he wrote to RP Data asking that the information be corrected. Mr C did not receive a response. Mr C’s complaint did not come under the jurisdiction of the Federal Privacy Act 1988 as the conduct occurred before December 2001. Privacy NSW wrote to RP Data requesting that they review their records and correct their holdings to reflect Mr C’s chosen name. Privacy NSW also raised concerns with the Valuer General (now part of the Department of Lands) about the manner in which RP Data use personal information provided by the Valuer General under the Valuation of Lands Act 1916. The Valuer General sells information to RP Data (and other organisations) in its capacity as a valuation body. A common method by which the Valuer General collects personal information is through the Notice of Sale provided to the Valuer General following the sale of a property. The Valuer General is authorised to disclose this information to valuers under the Valuation of Land Act 1916. The PPIP Regulation 2000 exempts the Valuer General from compliance with Part 6 of the PPIP Act with respect to “any valuation roll kept under the Valuation of Land Act 1916”. RP Data advised that the details about Mr C had in fact been removed from the listing that they sell to real estate agents. The Valuer General agreed to tighten the terms and conditions under which personal information is sold to land valuers. Privacy Reviews Review of NSW privacy legislation On 11 April 2006, the Attorney General, the Hon R J Debus MP made the following reference to the NSW Law Reform Commission: Pursuant to section 10 of the Law Reform Commission Act 1967 (NSW), the Law Reform Commission is to inquire into and report on whether existing legislation in New South Wales provides an effective framework for the protection of the privacy of an individual. In undertaking this review, the Commission is to consider in particular: The desirability of privacy protection principles being uniform across Australia. The desirability of a consistent legislative approach to privacy in the Privacy and Personal Information Protection Act 1998, the Health Records and Information Privacy Protection Act 2002, the State Records Act 1998 , the Freedom of Information Act 1989 and the Local Government Act 1993. The desirability of introducing a statutory tort of privacy in New South Wales. Any related matters. The Commission should liaise with the Australian Law Reform Commission which is reviewing the Privacy Act 1988 (Cth) as well as other relevant Commonwealth, State and Territory agencies. Privacy Awareness Week Privacy Awareness Week 2007 This year Privacy Awareness Week becomes international. It will be highlighted in Australia, New Zealand and in Hong Kong. It will begin on 26 August and conclude on 1 September. The theme for this year will be Privacy is Your Business. Privacy Commissioners from Australia, New Zealand, Hong Kong, New South Wales, Victoria, Northern Territory and their organisations will be taking part. Queensland, South Australia and Western Australia will also be involved in the Awareness Week. The major promotion of Privacy Awareness Week this year will be an international competition for students to portray their views on the relevance of privacy in today's society. Details about the competition, how to enter it, what forms it takes and the prizes are listed below. Further details about Privacy Awareness Week are set out in the media statement about the Week on this website. Find out more about Privacy Awareness Week. See details about the competition for students.

Previous Page | Back to Lawlink Home | Top of Page

Last updated 12 December 2007

Crown Copyright �

Hosted by