Privacy Law and Policy Reporter
The Privacy and Data Protection Bill 1994 was introduced into the NSW Parliament on 14 April 1994 and later referred to a Select Committee of the Legislative Council (see 1 PLPR 66). The Privacy Committee believes that, while the Bill provides a useful starting point, a number of flaws must be removed before it can be claimed that the Bill gives a reasonable level of protection.
One major object of the Bill should be to safeguard the interests of individuals in NSW by establishing data protection standards and giving people an avenue to pursue breaches of those standards. Further, an appropriate legislative framework should aim to prevent institutionalised abuses of privacy such as those uncovered by the Independent Commission Against Corruption's report into the unauthorised release of government information. The prospect of increasing restrictions on transborder data flows, such as those proposed in the Council of Europe Recommendation No (91)10 - Communications to Third Parties of Personal Data Held by Public Bodies, also means NSW faces possible isolation from the global information market if it takes no action to introduce comprehensive data protection legislation. The Bill should aim to head off such isolation and provide a model for other Australian States to follow.
In its current form, the Bill revolves around Data Protection Codes which must be drafted by public authorities. These codes are required to conform to the Data Protection Principles (DPPs) in the Bill, but only ''as far as reasonably practicable'. The heads of public authorities have the final say on the content of the Codes, meaning the proposed Commissioner's role involves little more than reviewing the Codes before adoption. Ultimately he has no power to require public authorities to comply with the DPPs.
In its application to the private sector, the Bill goes no further than saying private sector bodies ''may' prepare and adopt Data Protection Codes. They can ''request' that the Commissioner prepare the Code or submit it to him or her for review.
Breaches of the DPPs do not attract a penalty but the Bill contains two offence provisions, one for misuse or disclosure of personal information and one for offering to supply such information. Use and disclosure in accordance with Data Protection Codes will not constitute an offence.
The Bill also establishes the office of a Privacy Commissioner. This Commissioner can investigate complaints and make inquiries but ultimately can only make reports to the appropriate person or refer complaints to other bodies.
The Privacy Committee believes the Bill should focus on improving the accountability of public authorities. To achieve this goal the offence provisions should be directed to serious and willful disclosures of personal information. If the current, broadly-framed offences are retained there is a real risk that resources of the courts and police will be used pursuing trivial and minor offences. If this was to occur the effectiveness of the Bill could be seriously undermined.
The Committee is also concerned about the potential for a complaint to be both under investigation by the Commissioner and the subject of an independent prosecution for breach of the offence provisions. The Committee recommended that the Commissioner screen complaints and refer serious disclosures to appropriate agencies for action where an offence appears to have been committed, for example, Director of Public Prosecutions or ICAC.
The DPPs contained in the Bill generally accord with those recommended by the Committee in its 1991 submission to ICAC ''Privacy and Data Protection: A Proposal for Legislation'. However, contrary to the recommendations of the Committee, DPPs 9 and 10 now contain broad exceptions allowing use and disclosure of personal information for the enforcement (including investigations and gathering of criminal intelligence) of the criminal law and protection of public revenue. The Committee is concerned that these provisions will be very widely interpreted by public authorities to the extent that the effectiveness of DPPs 9 and 10 could be seriously eroded. In particular, there is a danger that the exemption in favour of criminal intelligence will be used to justify disclosure of information on the basis of speculation rather than reasonable suspicion. The Committee has recommended that consideration be given to requiring that there be reasonable grounds for suspicion or a belief that an offence has been committed before non-consensual use and disclosure of personal information is permitted.
By allowing public authorities to prepare Data Protection Codes without the Commissioner's approval, the Bill gives such authorities the discretion to decide how closely they will conform with the DPPs. This approach will not promote consistent standards of privacy protection across the public and private sectors and does not meet international standards in privacy and data protection law.
To remedy this deficiency the Committee has recommended that the DPPs themselves be made directly enforceable and that the Commissioner be given the power to make public interest determinations exempting compliance where this would be appropriate. A power to make interim determinations should also be available to the Commissioner where there is an urgent need to disclose the information in the public interest.
The Committee believes the requirement for agencies to draft Codes in consultation with the Commissioner should remain to encourage agencies to consider their own information policies and practices, as well as to fulfil an educational role. These Codes should be registered with the Commissioner who should have the power to review them and recommend amendments.
The application of the Bill to the private sector is in some respects weaker than the current Privacy Committee Act and should be significantly strengthened. Under its Act, the Committee could prepare a code of practice for a private sector organisation on its own initiative. The Bill does not give the Commissioner the power to take such action. The ideal solution would be to make private sector agencies comply with the DPPs. A system of codes of practice, in which the Commissioner may prescribe standards which are greater or lesser than the DPPs, is an alternative option.
The Bill contains some innovative provisions to address increasing use of information held on public registers. Public registers are frequently used for purposes which go well beyond the purposes for which they were set up. Readily available database tools and communications technology have removed physical and financial constraints which previously made such uses rare. Increased use is also driven by the growing commercial value of personal information. A typical example is the extensive use of local government rate records by real estate agents for direct marketing.
The Bill would restrict the use of public register data to purposes related to the purpose of the register. The Committee believes this general approach is sound, but a number of changes are necessary to make the provisions workable and enforceable. Specific inclusion of public registers in the definition of ''generally available publication' and clarification of the wording of the definition of ''record' to ensure public registers are excluded will clear up uncertainties in the application of both the public sector provisions and DPPs 1- 3. Prescribed public registers should appear in a schedule to the Bill. Agencies administering public registers should draft the purposes of their registers in consultation with the Commissioner and these purposes should be published.
The Bill also requires records to be suppressed when the record-keeper is satisfied that there is a threat to the safety of the data subject and that the register would not be unduly compromised by suppression. The Committee has recommended that the threat to safety requirement be widened and that allowance be made for access to suppressed records in appropriate circumstances. A breach of these provisions should attract the Commissioner's power to grant compensation (see below).
The Commissioner's powers to undertake inquiries and to investigate complaints are both deficient and confusing. An effective complaint handling function is essential to the overall effectiveness and credibility of the legislation.
Specifically the Committee has recommended the following changes:
For this legislation to be successful in safeguarding the rights of individuals it must provide a suitable avenue for them to pursue grievances and obtain remedies. The Federal Privacy Commissioner has a power to make remedial determinations, including declaring that a complainant is entitled to compensation. The Committee believes that peoples who suffer damage or loss as a result of a breach of the DPPs should be entitled to a suitable remedy. To this end it has been recommended that the new Commissioner be empowered to make declarations that a public authority has breached a DPP or the public register suppression provisions; require an authority to take action to redress harm done as a result of the breach; or declare that the complainant is entitled to a specified amount by way of compensation. A mechanism to enforce these determinations should also be provided.
Further, to ensure public authorities comply with the DPPs and their Data Protection Codes, the Commissioner should be empowered to conduct audits of records of personal information held by government departments.
The Committee is concerned that, without appropriate safeguards, the effectiveness of the Commissioner could be seriously eroded through inadequate provision of resources and political appointments. To ensure independence, the Committee has recommended that the Commissioner should be appointed and supervised by a parliamentary committee in the same way as the NSW Ombudsman. The Committee has also recommended that funding and staffing be made independent of ministerial control.
There are a number of other provisions in the Bill which require attention. These include the reporting procedures, definitional problems, archival provisions, the application of the Bill to deceased persons and the Privacy Advisory Committee's composition and powers.
The provisions of the Bill relating to access to personal information bear a close relationship to the operation of the Freedom of Information Act 1989 (NSW). The Bill makes it clear that the Freedom of Information Act will prevail, and the Committee believes this will minimise any potential for conflict between the two pieces of legislation. The Committee has recommended that the operation of the two Acts be monitored and reviewed after five years.
It is clear that there is considerable scope for improvement of the current Privacy and Data Protection Bill. This view is shared by a number of the public and private sector organisations that have given evidence to the Select Committee hearings. The Select Committee now has the opportunity to recommend legislation which can be effective in giving some much needed protection for the personal information of individuals in NSW. Such action can ensure NSW remains the leader in privacy protection in Australia
Hugh Stodart, Research Officer, NSW Privacy Committee.