Privacy Law and Policy Reporter
The inadequacies of the Privacy and Data Protection Bill 1994 (NSW) are not limited to its unenforceability in the public sector (see (1994) 1 PLPR 41). There is considerable scope for improvement in how it deals with private sector codes, public registers and offences of trafficking in personal data.
A step back in the private sector?
Insofar as the private sector is concerned, the Bill constitutes no significant change from the position under the Privacy Committee Act 1975, except that in one respect it is a retreat from the very limited protection provided by that Act.
The Commissioner is able to investigate and conciliate any ''complaints about the use and disclosure of personal information (whether in the private or public sector) or other violations of privacy' (cl 22(i)). This is much the same ''privacy Ombudsman' function of very wide scope as the Privacy Committee currently has. However, the Commissioner's ability to investigate private sector complaints is largely destroyed because he is only able to require the heads of public authorities, or public officials, to give statements or produce documents (cl 29). In this respect the Bill is a significant step backwards from thePrivacy Committee Act 1975, s16(1) which gives the Committee such powers in relation to both private and public sector complaints. The Commissioner's power to summon and examine witnesses under cl 30 (identical to the current s16(2)) does not compensate for this deficiency.
The Privacy Commissioner is only entitled to prepare a data protection code for a private sector body at that body's request, for adoption by it (cl 13(1)). A private sector body can draw up its own code and submit it to the Commissioner for ''review' (if it wishes), presumably implying that the Commissioner can endorse the code or refuse to do so (cl 13(2)). If the private sector body decides to review its code, it must ask for the Commissioner's views but is only required to ''consider' them (cl 15). The Commissioner cannot review any private sector codes unless asked (cl 17). There are no enforcement provisions whatsoever, and it is unlikely that the Commissioner's refusal to endorse a code that is inadequate would carry much weight. Despite all these limitations, the Commissioner has a separate function ''to prepare and publish guidelines in relation to data protection and the protection of privacy' (cl 22(d)), which apparently applies to the private sector. Given that the Committee has always had the power to issue advisory guidelines (Privacy Committee Act 1975 (NSW)s15(1)(c)), and has done so in many private sector areas over the years, it is hard to see that the ''code' provisions are any advance at all.
The New Zealand Privacy Act 1993 provides that the IPPs or, alternatively, Codes of Conduct tailored by the Commissioner for specific industries, apply to the whole of the private sector (the media excluded). Breaches of IPPs will become enforceable and gives rise to a full range of remedies, at the conclusion of a phasing-in period of three years, or earlier than where codes are in place (see McBride (1994) 1 PLPR 4 for a summary). Most European data protection laws now provide for enforceable rights in relation to the private sector, and all European countries will be required to standardise their laws to provide this when the European Commission's data protection directive is completed. Some Canadian jurisdictions also provide such rights.
The European Commission's draft Directive on data protection is expected to be finalised during 1995 (see (1994) 1 PLPR 39). The current draft provides that ''Member States shall by law provide that the transfer, whether temporary or permanent, to a third country of personal data ... may take place only if the third country ... ensures an adequate level of protection' (art 26(1)). Whatever ''adequate level of protection' means, it would be hard to argue that it is present in relation to any element of the Australian private sector, with the almost certain exception of the credit reporting industry (due to the strict requirements of Pt IIIA of the Privacy Act 1988 (Cth)). The likelihood of restrictions on the transfer of personal information between businesses in NSW and European businesses is one reason for NSW to move toward a more obviously adequate level of protection. The Privacy and Data Protection Bill 1994 does nothing to address this need.
It would not be unreasonable if the NSW government decided to first implement enforceable Data Protection Principles (DPPs) or codes in relation to the public sector (as the Bill apparently intended to do), and then extend the approach to the private sector. In effect, this is what was done in New Zealand, where one of the Commissioner's first tasks when appointed under the Privacy Commissioner Act 1991 (NZ) was to review the means by which privacy protection might be extended to the private sector. It would be a valuable addition to the NSW Bill if the Privacy Commissioner was required to report in a year or so on how the DPPs and codes made under them should be made enforceable in the private sector.
A desirable approach would be for the Bill to make provision for codes drawn up or approved by the Commissioner to become enforceable if an industry sector requested an enforceable code. An addition to this would be to provide a mechanism for parliament to authorise the Commissioner to draw up an enforceable code in a particular sector, possibly by means of a parliamentary resolution. The Commissioner could then report to Parliament on the need for an enforceable code in a particular sector, but could only proceed if Parliament so resolved.
However, while it is desirable that there be developed, over time, enforceable private sector privacy codes at State level, there will be some codes (perhaps most) which it is more appropriate to develop at a national level because of the national scope of the businesses concerned. The Australian Privacy Commissioner has called for the development of such national codes (see (1994) 1 PLPR 61).
The Bill repeals the Privacy Committee Act 1975 (NSW) and replaces the Committee with a Privacy Commissioner who has much the same ''ombudsman' functions, plus some additional functions relating to the DPPs and codes. The range of functions given to the Commissioner (cl 22) appears to be broad enough to encompass the Privacy Committee's past role of involving itself publicly in any privacy issues as it saw fit (his powers when doing so are a different matter).
The Commissioner's power to receive complaints is not limited to information privacy complaints, but covers ''a violation of the person's privacy' (cl 23).
The limits on the Commissioner's ability to investigate complaints against the private sector has already been noted, but the problems are much deeper than that. The list of the Commissioner's functions (cl 22) needs careful amendment, to ensure that, despite its length, it is not another step backwards from the Committee's brief but general list of functions (Privacy Committee Act 1975(NSW), s15). For example, the Committee's general power (g) to ''conduct such inquiries and make such investigations as it thinks fit' called into play its Royal Commission powers (s16(2)), but in the Bill those powers can only be exercised in relation to ''investigations', which appears to refer only to investigation of complaints. In further contrast, the Committee's s16(1) powers to demand statements or documents apply to its exercise of any of its functions, but cl 29 is once again limited to ''investigations'.
In short, in relation to anything other than complaint investigation, the Commissioner is toothless compared with the Committee - but he or she has bigger and more modern gums.
The Bill is in part a response to the NSW Independent Commission Against Corruption (ICAC) Report on Unauthorised Release of Government Information (August 1992). The ICAC Report recommended the development of a consistent government policy on what was to be regarded as publicly- available information and what was not. The Bill sets up a mechanism to address this, by providing that ''public registers' will be prescribed by regulations, and by providing special rules for their operation. The fact that the Bill addresses the problem of public registers is a significant innovation in itself, as this is not attempted in the Commonwealth Privacy Act 1988, and the approach taken is very different from that taken in Pt VII of the Privacy Act 1993 (NZ) (see McBride in 1 (1994) PLPR 26).
A ''public register' is ''a register of personal information that is ... publicly available or open to public inspection, whether or not on payment of a fee' (cl 18). Public registers for this purpose are to be prescribed by regulations (cl 18). It is clear that cl 18 envisages public registers which are not ''required by law', and it is likely that the prescription of a register as a public register by regulations made under cl 18 would in itself be enough to overcome any implied statutory obligation of confidentiality arising from Johns v ASC.
A major problem is that the Bill gives no indication of the content of the regulations to be made under cl 18. This provision could be used to reduce privacy by the prescribing of personal information to be publicly available when it never has been before. The only substantive protection against this is the possibility that such regulations might be disallowed by the NSW Parliament. Two further desirable safeguards would be that the initial list of public registers should be included as a Schedule to the Bill, so the public can see what is intended (as was done in Sched 2 of the Privacy Act 1993 (NZ)), and that the Minister should obtain a report on any proposed regulations from the Privacy Commissioner, which should be tabled with the regulations (as the Australian Privacy Commissioner does in relation to any proposed exceptions to the Commonwealth spent convictions legislation). Alternatively, public registers could only be created by legislation, not regulation.
It is difficult to determine the extent to which the DPPs apply to public registers. DPPs 1-3 (collection principles) will always apply, as will DPP 11 concerning sensitive classes of information. DPPs 4-10 only apply to information held in a ''record', the definition of which (cl 3) excludes a ''publication that is or will be generally available to the public' (a ''generally available publication' referred to throughout the DPPs). It is not clear when such a ''generally available publication' will be a ''public register' and vice versa, so it is difficult to say whether some or all DPPs apply to public registers. It will also often be difficult to determine which aspects (if any) of information systems containing a public register are a ''generally available publication' or a ''public register'. It will often be the case that the same information held in one part of a system will be covered by all of the DPPs, whereas in another aspect of the same system it is held as publicly-available information or in a public register.
These provisions deserve clarification, because, where personal information is available to the public, it is even more important than otherwise that the records be accurate, complete, up-to-date etc, and that they be susceptible to correction if they are not. Data Protection Principles should apply to public registers except to the extent that the purpose of the register precludes.
Irrespective of the applicability of the DPPs to a public register, there are special obligations. ''A data protection code relating to personal information contained in a public register must require that the record-keeper not disclose the information unless satisfied that it is to be used for a purpose related to the purpose of the register or the Act under which it is kept' (cl 19(1)). Such purposes must be recorded (DPP 5). A record-keeper is not permitted to allow access unless so satisfied (cl 19(2)(b). The record-keeper has a discretion as to how this obligation is discharged, but cl 19(2)(a) empowers record-keepers to require applicants to give particulars of intended use in the form of a statutory declaration. Use for any other purpose could therefore result in a prosecution for false swearing. This is a significant innovation, not found in the New Zealand Act.
These provisions give only very limited protection to individuals, dependent upon prosecutions for false swearing. People probably cannot find out who has accessed public register details about them, via DPP 6, because it only applies to access to ''records'. They also have no right to sue for damages for improper use by a recipient (contrast s92-93 of the Privacy Act 1988 (Cth)). One of the best ways to make these public register principles effective is to give individuals the right to find out who has accessed their details, and to seek compensation for improper access.
It is notable that there is no exemption for the media from these rules. On the other hand, other government agencies may sometimes be exempt from these disclosure limitations, because they obtain access, not to the public register, but to other databases which the public register duplicates. If so, cl 11(4) allows codes to authorise unlimited data swapping between agencies. Where another agency does obtain access to a public register, cl 11(4) appears to allow a code to authorise data swapping in a way which conflicts with the cl 19 restriction.
Individuals may apply to have information about them on a public register made not publicly available (cl 20(1)). A record-keeper may only agree if this ''would not unduly compromise the register' and safety or the applicant or applicant's family is otherwise at risk (cl 20(2)). There is, in effect, a right of appeal to the Privacy Commissioner (cl 20(4)-(6)), the lone instance where a decision of the Commissioner is enforceable.
It is peculiar that a disclosure of personal information from a public register cannot constitute an offence under s7 (s7(3)), even where it is a disclosure of information suppressed from public disclosure, as this would be among the most sensitive information that could be disclosed.
It will be an offence for public officials or former public officials to misuse or disclose personal information to which he or she has had access in the exercise of official functions (s7). There is a defence of acting in good faith(s9). Persons holding themselves out as being able to supply information which they know or ought reasonably to know has been or is proposed to be disclosed in contravention of s7 will also be guilty of an offence (s8). However, the Bill does not contain any offences of obtaining personal information which the recipient knew or ought to have known, came from such a source.
The ICAC Report recommended that there should be new offences relating to those ''further down the distribution chain' such as the banks, insurers and others that it found were regular corrupt recipients of personal information, and that such offences not require proof of the nature of the transaction by which the information was first obtained. This has not been followed.