Privacy Law and Policy Reporter
The Privacy and Data Protection Bill 1994, introduced into the NSW Parliament on April 14 by the Attorney-General, John Hannaford, is a very limited measure which falls far short of both international standards and the Commonwealth Privacy Act 1988. In some respects it will act to legitimise the extension of data surveillance. However, it does have positive features, such as an improved set of information privacy principles. Some significant amendments and additional provisions could convert it into a worthwhile privacy protection Act without abandoning its overall structure.
The principal deficiency of the Bill is that it does not provide any effective remedies for breaches of the Data Protection Principles (DPPs). It is ''Clayton's' legislation: the privacy legislation you pass when you wish to appear to be protecting privacy.
The Privacy Committee Act 1975 was advanced legislation for its time, but the Bill that is to replace it has no more enforceable rights than the 1975 Act, despite a worldwide trend toward enforceability. Its enactment, without amendment, would see NSW decline in 20 years from being a leader in privacy protection to an international laughing stock.
The Bill sets out 11 DPPs (cl 21), which to a very large degree reflect thestructure, terminology and content of the 11 IPPs found in s14 of the Commonwealth Privacy Act 1988, which were to a significant extent based on the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). This degree of consistency is very desirable, as it will make it possible for an Australia-wide privacy jurisprudence to develop, and it assists to make Australian law reflect international privacy standards.
The 11 DPPs do, however, contain numerous differences from the Commonwealth's 11 IPPs. Almost all of these provide greater privacy protection than the Commonwealth model, and many follow improvements suggested by the NSW Privacy Committee. Unfortunately, the improvements are little more than window dressing in the absence of any means of enforcing the DPPs.
The DPPs 1-7 correspond to IPPs 1-7; DPP 8 combines IPPs 8 and 9; DPP 9 corresponds to IPP 10 (use); DPP 10 corresponds to IPP 11 (disclosure); and DPP 11 is new.
DPPs 9 and 10 each contain the one change to the IPPs which could be seen as weakening them, namely the specific inclusion in the exemptions for use or disclosures ''reasonably necessary for the enforcement of the criminal law' of ''investigations and the gathering of criminal intelligence'. It could be argued, however, that criminal intelligence matters have always come within this exemption.
DPP 11 is new, and provides in 11.1 that the exemptions in DPPs 9 and 10 do not apply to ''information relating to ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life'. The only exceptions which allow use or disclosure are (a) ''the express written consent, freely given, of the individual concerned' and (b) where the record-keeper is ''required or authorised to do so under the law' of New South Wales.
DPP 11.2, dealing with ''an individual's criminal history' appears more strict in that it does not include a written consent exception, and it prevents all ''processing', not just use or disclosure. However, there is a further exemption for processing ''authorised by ... a data protection code', so it appears that public authorities are encouraged to write their own exceptions to DPP 11.2.
The exception in DPPs 9 and 10 applies where ''a record-keeper believes on reasonable grounds that use [or disclosure] of the information is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person'. It may be unlikely to cause harm if this ''life or health threatening emergency' exemption does not apply to most of the categories of information protected in DPP 11, but it is hard to see why it should not apply where ''health' information is concerned. Such information is one of the main categories of information which needs to be disclosed in emergencies. The government would need to show that there is some other provision in NSW health laws which would always positively authorise such disclosures for the purposes of DPP 11.
The single crippling deficiency of the Bill is that the DPPs cannot be enforced, either by the Privacy Commissioner or (more importantly) by individuals who have suffered because of breaches of the DPPs, or by members of the public generally. The same is true of any codes of conduct based on the DPPs (discussed below).
The only enforcement mechanism provided in the Bill is that ''an individual who has been detrimentally affected by an alleged breach of a data protection principle ... may complain to the Privacy Commissioner' (cl 23(1)). However, the Commissioner is merely empowered to report his conclusions (cl 37), but has no powers to order compliance with an infringed DPP, nor award damages or any other form of compensation to the complainant. In other words, the Privacy Commissioner is a ''privacy ombudsman' with no more enforcement powers than the existing Privacy Committee.
It is theoretically possible that individuals could seek to enforce compliance with the DPPs by resort to common law administrative law remedies, but this is a remedy beyond the reach of all but the wealthiest complainants, and in any event will not provide any compensation for past infringements.
The lack of enforcement measures does not mean that the DPPs will be ignored. The general culture of compliance with legal requirements by NSW public agencies, particularly when reinforced by the requirement on each agency to embody the DPPs in codes of conduct (see below), is likely to result in general compliance with at least the less inconvenient principles. The degree of persuasive authority that the Privacy Commissioner can develop will also be a determining factor to some degree.
Nevertheless, the contrast with the enforcement provisions in the Commonwealth Privacy Act 1988 makes the Bill seem a pathetic ''advance'. Breaches of the Commonwealth IPPs can result in the Commissioner making a determination that the agency concerned should comply with the IPPs, should take ''any reasonable' steps to redress any loss or damage, or should pay compensation for loss or damage (s52). Agencies are required to comply with a determination from when it is made (s58). Recent amendments extend the Commissioner's powers to allow the award of damages in representative complaints(s52(1)(b)(iii)) and to allow compensation for hurt feelings (s52(1A)): see (1994) 1 PLPR 16. In addition, the Commissioner or any other person can seek an 1 PLPR 16. In addition, the Commissioner or any other person can seek an injunction to enforce compliance with the IPPs (s97).
The New Zealand Privacy Act 1993 has equally strong enforcement provisions for breaches of its 12 IPPs, with the Complaints Review Tribunal able to order compliance with the IPPs, the performance of remedial actions, and the awarding of damages up to NZ$200,000 (see McBride (1994) 1 PLPR 26 for a summary).
These examples of modern privacy legislation show the extent to which the ''ombudsman' approach of the NSW Bill is an outdated 1970s approach to privacy protection, recognised to be inadequate in the face of the dangers to privacy posed by information technology in the 1990s.
NSW public authorities must prepare and adopt a data protection code within 12 months (cl 10), and it must ''conform, so far as is reasonably practicable' to the DPPs (cl 11(2)). It must be ''submitted to the Privacy Commissioner for review before adoption' (cl 11(1)(c)), and these views must be ''considered' (cl 11(5)), but the Commissioner has no power to amend or reject the proposed Code. Because conformity need only be where ''reasonably practicable', agencies have in effect been given a licence to write their own exemptions from the DPPs. There is not even a provision for disallowance by Parliament.
There is another provision for the Privacy Commissioner to grant exemptions from codes in relation to classes of information or persons (cl 16), but it is difficult to see why agencies would bother seeking the Commissioner's consent when they can write their own ''reasonably practicable' exemptions.
However, none of this is likely to matter very much, except to provide agencies with a code which ostensibly proves that they are acting legally when invading people's privacy, because the codes may be even less enforceable than the DPPs themselves! Codes are not enforceable in any way additional to DPPs. A breach of a code is not even specified as the basis for a complaint under cl 23, whereas a breach of the DPPs is so specified, so a complaint will only be able to be made if a breach of code is ''a violation of the person's privacy' (cl 23). In any event no remedies result. The sloppiness of drafting here is indicative that the Bill is not supposed to provide any remedies.
To make matters worse, cl 11(4) provides that ''Despite subsections (2) and (3), a code may permit personal information to be disclosed by the public authority to another public authority for the purposes, and in the circumstances, specified in the code' (emphasis added). In other words, even the requirement of ''reasonably practicable' compliance with DPP 10 (disclosure) is abandoned if a public authority would like to disclose personal information to any other public authority, for whatever reason. The definition of ''public authority' (cl 3) includes anyone so declared by regulations, so it is possible that disclosure to public bodies of other jurisdictions could be authorised under this provision.
It is sometimes said that data protection laws can act as a device to legitimise surveillance which is otherwise regarded as of dubious legality. It would be difficult to find a more clear example.
As a result of the High Court's recent decision in Johns v ASC (see (1994) 1 PLPR 1 and (1994) 1 PLPR 10), it has now been confirmed that, in relation to information acquired compulsorily by governments, there is an implied statutory right of confidence. There is nothing in Johns v ASC which limits its applicability to Commonwealth government agencies, and its requirement of confidentiality may be a stronger restriction on disclosure than that contained in DPPs 9 and 10.
The obligation to provide natural justice in relation to disclosures, also established by Johns v ASC, is equally applicable to State agencies. This may have important implications for some State data sharing schemes, such as in relation to land information, or criminal record checking which does not have any statutory basis.
In light of this general law right, it may be that the NSW Bill is a significant step backwards because it has the capacity to destroy the privacy rights otherwise created by Johns v ASC. The danger is that cl 11(4) (discussed above) may constitute statutory permission to disclose which would negate any implied statutory obligation of confidentiality, wherever a code permitted a disclosure not otherwise allowed. If so, the NSW Bill would allow agencies to nullify any effects of Johns v ASC.
Against this conclusion must be placed the Australian High Court's recent decision in Coco v the Queen (decided 13 April 1994; see Cases & complaints in this issue) where it was held that ''The courts should not impute to the legislature an intention to interfere with fundamental rights. Such an intention must be clearly manifested by unmistakable and unambiguous language.' In that case ''the fundamental right of a person to exclude others from his or her property' by resort to the tort of trespass led to the conclusion that a statutory provision did not imply a power in a judge to authorise conduct which would otherwise amount to a trespass. In Johns v ASC the High Court did not indicate whether the statutory right of confidence was such a ''fundamental right', but if it was then cl 11(4) might have no effect on it
Part II in the June issue will examine the Bill's effect on the private sector, the Commissioner's powers, Public Registers and offences.