Submission to the NSW Law Reform Commission in response to its Consultation Paper 3: Privacy Legislation in NSW
Ms D Sharp
Executive Director
New South Wales Law Reform Commissioner
G P O Box 5199
SYDNEY NSW 2001
Dear Ms Sharp
The purpose of this letter is to provide comments on the Commission’s Consultation Paper 3, Privacy Legislation in New South Wales.
General Comments
The paper raises fundamental questions for the way ahead for Privacy NSW. In particular the future oversight of NSW privacy legislation and whether the one body should administer FOI and Privacy. The establishment of an Information Commissioner is a related issue. Recognising that contemporary privacy issues in the community are characterised by or associated with data protection this Commission favours the introduction of an Information Commissioner, in line with the approach taken by the Australian Law Reform Commission. Such a position would oversee the operation of both an FOI Commissioner and a NSW Privacy Commissioner. Privacy NSW does not support any proposal that the office of the Ombudsman hold the position of Information Commissioner.
In response to the Consultation Paper we make the general comment that the model adopted by the Commonwealth will have considerable influence on the choice of structure for New South Wales. This is because the harmony between Federal and State laws will not be achieved by simply realising Uniform Privacy Principles.
A further issue for comment at the outset is whether access to and amendment of personal information should be dealt with in one statute or whether personal and non-personal information be dealt with in two separate statutes in FOI and privacy legislation. This Commission’s view is that the protection of an individual’s personal information is best dealt with by a ‘cradle to grave’ approach to regulation, which should reflect its life cycle within an agency and be regulated by privacy legislation. Multiplicity of information laws and governance structures relating to access and amendment of personal information potentially compromises the protection of personal and health information in its life cycle. Further, one of this Commission’s aims in the oversight of the Privacy and Personal Information Protection Act and the Health Records and Information Privacy Act has been to harmonise dealings with personal and health information across the public sector. The Commission therefore supports the continued inclusion of the access and amendment provisions for personal information within the Privacy and Personal Information Protection Act. We also support the proposal that the FOI Act be amended to make clear that first party access to and amendment of personal information should be sought through the PPIP Act.
This Commission is experiencing ongoing problems with access to medical documents by patients. This is particular issue for note by the Privacy Advisory Committee, which has been consulted in preparing these comments.
Privacy NSW would prefer to reserve comments on many of the issues raised in the paper until the Commonwealth’s position is clearer. This is particularly so in establishing a uniform or at least consistent regime for statutory exemptions to the application of privacy principles.
Finally there is good reason to replicate statutory models for information sharing and many other aspects of privacy work between the States and Commonwealth. Privacy NSW is looking for the unification of the privacy principles in the short term The Commission is also of the view that the introduction of the Information Commissioner model, particularly in the context of short term FOI reform, is also an issue for short term resolution.
Proposal 1: National Uniformity
This proposal is supported.
Proposal 2: Co-operation with the Commonwealth in the development of privacy principles
This proposal is supported.
Proposal 3: NSW privacy legislation to only regulate the public sector
This proposal is supported. Reforms such as the National Accreditation Scheme for medical practitioners and the Federal Government response to the ALRC report strongly suggest the Commonwealth will cover the field for private sector organisations. PNSW accepts this position.
Proposal 4: Restructure of Privacy & Personal Information Protection Act 1998
This proposal is supported.
Proposal 5: Health Records and Information Privacy Act amended so that the Privacy Act regulates private sector organisations.
This proposal is supported as noted above.
Proposal 6: State Owned Corporations to be covered by privacy legislation
This proposal is strongly supported for the reasons expressed in the Consultation Paper.
Proposal 7: Contracts with NGOs
This proposal is supported.
Proposal 8: Direct collection exemptions if PPIP and HRIP Acts merged
This proposal is supported.
Proposal 9: Direct collection if NSW privacyActs not merged
This proposal is supported.
Proposal 10: Amendment of IPPs 3 and 4 so that they also apply to collection from 3rd party
This proposal is supported.
Proposal 11: Amendment of IPP 5 and HPP 5 so that they also apply to information derived from observations or conversations with an individual
This proposal is supported.
Proposal 12: Amendment of IPP 5 and HPP 5 to ensure secure collection
This proposal is supported.
Proposal 13: Clarify the provisions which state that FOI law does not affect transparency access & amendment
This proposal is supported.
Proposal 14: Clarify transborder provision
This proposal is supported.
Proposal 15: Regulation of the use and disclosure of identifiers
This proposal is supported.
Proposal 16: Minor amendment to 25 (b) of PPIPA
Proposal 17: Power to amend s41 and s62 directions
This proposal is supported.
Proposal 18: Set time limit from bringing applications to ADT
This proposal is supported.
Proposal 19: Limit orders by ADT to findings of breach
This proposal is supported.
Proposal 20: Clarify role of Privacy Commissioner at ADT
This proposal is supported.
Issues
Issue 1 What are the impediments to information sharing in New South Wales?
The BOTPAR is a well-known and accepted phenomenon. It is well recognised in public sector agencies and accepted and discussed in the ALRC Report. This Commission’s experience is that it is widespread and not associated with any particular group. This Commission’s view with respect to child protection and other areas of interest, for example, the introduction of Youth Conduct Orders, is to permit exchange of information were it is reasonably necessary to discharge a statutory function.
This Commission’s view is that statutory models best facilitates exchange of information. Until a comprehensive statutory scheme is in place Codes of Practice remain important.
Issue 2 Are the criminal sanctions adequate and satisfactory?
In Privacy NSWs’ opinion there it little utility in prosecuting under PPIPA or HRIPA for corrupt disclosure or use of health information by public sector officials. Essentially Privacy NSW is concerned with resolution by conciliation and education. The State’s organisation for dealing with corrupt conduct is well established and workable.
Secondly, in so far as this Commission experiences the possibility of such conduct it is usually in the context of multiple issues between disputing parties and this Commission is not equipped or empowered to resolve such multiple issues.
Issue 3 Should PPIPA have an objects clause?
Yes; for the reasons expressed in the Consultation Paper.
Issue 4 Should we have HRIPA if we accept that the Privacy Act covers the field?
No. See introductory comments.
Issue 5 Would we need HRIPA if it only covered the public sector?
See introductory comments.
Issue 6 - 8 Should the publicly & generally available exclusions only apply to PPs 1 and 2 and issues arising out of the exceptions to “personal information”.
Privacy NSW repeats its previous submissions to the Commission of June 2004.
Issue 9 Why is there an exclusion for Pt 8A of the Police Act?
The Commission supports the review of PPIPA at clause 5.33 of the Consultation Paper.
Issue 10 Should a complainant be able to access the file about Police officer?
Access ought be for any individual seeking access to personal information held by an agency in respect of a complaint.
Issue 11 Should a Police officer be able to access their complaint files?
Yes. Police officers are likely in the ordinary course of investigative work and giving evidence in court to be challenged about complaints made of them. It is usual for the credibility of a police officer to be challenged during the investigative process and in court. This special circumstance justifies access to the complaint files.
Issue 12 Should some of the IPPs apply to Pt 8A matters
See answer to Issue 10.
Issue 13 Should the Ombudsman’s be included in s27
The Ombudsman’s submission at clause 3.34 is not supported. The Commission is of the view that there is an operational consistency of function with the law enforcement agencies already identified, which is inherently of a different kind from the FOI Act. Privacy NSW repeats and relies on the submissions already made to the Commission in June 2004.
Issue 14 Should the s 4(3)(j) suitability for employment exemption continue?
Yes. Privacy NSW repeats and relies on the submissions already made to the Commission in June 2004.
Issue 15 Should 4(3)(j) just apply to prospective employees?
Yes
Issue 16 Does 4(3)(j) need amending to clarify Parliaments intention?
Yes. To restrict its application to information relating to the recruitment of an employee.
Issue 17 Does 4(3)(j) need rewording?
Yes.
Issue 18 Should the definition of Personal Information include photos etc?
Yes. If an individual’s identity is apparent, or can reasonably be identified from a visual image, that photograph or video image ought be defined in the legislation as personal information.
Issue 19 Meaning of ‘reasonably ascertained’
The meaning of the phrase “or can reasonably be ascertained from the information or opinion” needs clarification to ensure it includes constructive identification. The Courts are best left to decide what satisfies the purposes of the legislation. Given the wide ranging possibilities guidelines are unlikely to provide the best guidance.
Issue 20 Should the definition of ‘public sector agency’ in PPIPA be amended?
Yes, for the reasons expressed in the Consultation Paper.
Issue 21 Should the definition of ‘public sector agency’ in HRIPA be amended?
Yes, for the reasons expressed in the Consultation Paper.
Issues 22 - 23 Should the meaning of ‘unsolicited’ be amended; what legislative provisions should apply?
Yes. There continues to be difficulty in deciding whether unsolicited information is not “collected” by a public sector agency. Privacy NSW agrees with the ADT’s submission at paragraph 5.61 of the Consultation Paper.
Issue 24 Should the meaning of ‘administrative’ and ‘educative’ in s27 be clarified?
Yes. Privacy NSW repeats and relies on the submissions already made to the Commission in June 2004
Issue 25?
Issue 26 Sufficiency of Privacy Commissioner’s powers.
Yes. The Privacy Act reform process will affect how this should occur.
Issues 27 & 28 Should PPIP Act contain express provisions for regulation of bodily privacy? Should PPIP Act contain express provisions for regulation of territorial privacy?
Essentially PNSW is a low key conciliation agency concerned with public sector data protection. That is it, almost without exception, seeks to resolve complaints through correspondence. Where it arises the Commission oversees the Internal Review process. Some advice is given from time to time on intrusion privacy issues but data protection is essentially the Commission’s work. Privacy NSW supports the view that the complex and specialised area of bodily privacy is best regulated by dedicated legislation. Privacy NSW has limited influence and oversight of privacy of communications and territorial privacy. Its investigative and enforcement powers are limited. Alleged privacy breaches, in its experience, usually occur in a broader context, for example, neighbour-neighbour disputes. Privacy NSW supports the Law Reform Commission’s approach for regulation of those breaches under a dedicated legislation.
Issue 29 What is the appropriate relationship of statutory cause of action to PPIPA?
Privacy NSW supports the introduction of a general cause of action for invasion of privacy. As previously submitted it contends that a factor to be taken into account in determining whether there has been a breach, in cases involving data protection, ought to include consideration of any contravention of the privacy principles.
Issue 30 - 34 Issues 30 – 34 relate to the Privacy Principles.
Privacy NSW repeats and relies on the submissions already made to the Commission in June 2004.
Issue 35 Do s15 (1) and (2) need clarification (access and amendment)
Yes. This Commission supports the alternative amendment suggested in para 6.39 of the Consultation Report.
Issue 36 Should ‘use’ and ‘disclosure be collapsed?
Yes. As suggested by Privacy NSW in its submissions noted at 6.46 of the Consultation Paper.
Issue 37 Is the correct interpretation of IPPs 10 – 11 the relevant purpose for which the information is collected?
Yes. The legislation should be amended to clarify this.
Issue 38 Do Privacy Principles 10 and 11 apply to unsolicited information?
This Commission supports the ALRC proposal at 6.52 of the Consultation Report.
Issue 39 Should the PPs include an equivalent to UPP 2.5
Yes. This Commission supports the ALRC proposal.
Issue 40 Should s18 (1)(b) be amended
Yes as set out in (a) in the Consultation Paper. The Crown Solicitors submission at 6.54 is supported.
Issue 41 Should there be special restriction on the disclosure of criminal history?
Yes. Privacy NSW maintains the submission set out in the Consultation Paper at 6.57.
Issue 42 Should sexual activities be clarified?
PNSW maintains the submission set out in the Consultation Paper. This Commission supports the ALRC Report.
Issue 43 Should s19 (1) be placed in s18?
Privacy NSW maintains the submission set out in the consultation Paper.
Issue 44 Should the privacy principle regulating use and disclosure of identifiers be in the same terms as HPP 12 or the proposed UPP 10?
The terms of the Privacy Principle should be left to the forthcoming discussions on the UPPs. However it seems to this the commission that UPP 10 is a sound approach.
Issue 45 Exemption from compliance with IPP’s 2,3,10 & 11
Yes, for these reasons expressed in the Commission’s Consultation Paper.
Issue 46 a. Is the correct interpretation of s25 as in HW’s case?b. Should s 25 (a) be amended?
a. Yes, for the reasons expressed in the Commission’s Consultation Paper. On a purposive construction, which PNSW supports, 25(a) ought be interpreted widely as in HW’s case. b. Section 25(a) of the PPIPA should be amended to clarify this issue.
Issue 47 Should s18 public sector agencies be exempted where information disclosed to an investigative agency?
Yes, consistently with the ALRC’s UPP 5.1 9H.
Issue 48 Should the interaction between s29(2) and s30(1) regarding Codes be clarified?
Yes. The Code of Practice machinery ought be limited to modification of the IPP’s. A power to ‘regulate’ them ought not be contemplated by the Act.
Issue 49 Should the scope of Codes be clarified?
Yes. It is this Commission’s intention to introduce with the DoCs code of Practice together with an Explanatory Memorandum.
Issue 50 Should person mean ‘natural person’?
Yes, for the reasons expressed in the Consultation Paper.
Issue 51 Should s37 and 38 apply to person or public sector agency
Yes, for the reasons expressed in the Consultation Paper.
Issue 52 Should the public interest direction provisions be clarified?
As noted earlier Privacy NSW supports Proposal 17. For the reasons expressed in the Consultation paper PNSW agrees with the questions posed by issues 52(a) and (b).
Issue 53 Should s45 (1) be clarified to make clear it applies to an individual or person acting on their behalf
Yes. A conservative approach is presently taken. There are obvious risks in third parties acting on behalf of individuals, particularly those who are vulnerable and/or susceptible to influence and manipulation. Privacy NSWs’ view is that in a contemporary social context the public/private interests resolve in favour of third party claims.
Issues 54 & 55 Should the meaning of ‘violated’ or ‘interfered with’ be clarified? Should the legislation provide guidelines?
This Commission supports the Crown Solicitors submissions at 7.23 of the Consultation Paper.
Issue 56 Should the s 36(2)(k) and s 45 (complaint handling) interaction be clarified?
The correct approach is to await Privacy Act reform developments.
Issue 57 Does s 51, conducting enquiries, require clarification?
Yes. The Privacy Commissioner, should the situation arise, would conduct an inquiry or investigation into general issues raised by a withdrawn complaint. This is a little used but important function of the Commissioner’s functions under s 36 of PPIPAct.
Issue 58 Reports to Parliament; do they need clarification?
Privacy NSW does not interpret the legislative scheme as imposing any restriction on a report to Parliament. For the reasons expressed in paragraph 7.30 of the Consultation Paper there is no need for clarification.
Issue 59 Should s 55 be amended to clarify whether an ADT review is an original or review jurisdiction?
Yes. Privacy NSW supports the ADT’s viewpoint as expressed in paragraph 7.37 of the Consultation Paper.
Issue 60 Should individuals be allowed to make IR requests outside the 60 days? S53 3 (d)
Yes, as submitted by the ADT.
Issue 61 Should the Privacy Commissioner rather than the ADT have the power to make a final determination for a complaint?
Privacy NSWs’ viewpoint on this issue will be very much affected by the model that emerges from the Commonwealth.
Issue 62 Should FOI and privacy access, disclosure and correction provisions be ‘rationalised’?
The access, disclosure and correction principles do not require rationalisation. They are clear in the Privacy and FOI legislation.
Issue 63 - 67 Should individuals be made to go through FOI to get first party access? Should FOI and privacy complaint handling provisions be made consistent? Should FOI and Privacy be administered by one body?
See the introductory comments to this letter.
Issue 68 Should the retention principle in s12 include a statement that it applies despite the State Records Act.
No. Privacy NSW’s view is that the present position is clear. IPP5 does not override the State Records Act.
Yours sincerely
K V Taylor
Privacy Commissioner
|
