Privacy Law and Policy Reporter
Commissioner David Flaherty's report on his first eight months in office makes an interesting comparison with the recent first annual reports of his closest Australian equivalents, the WA and Queensland Information Commissioners (see 2 PLPR 13 and 2 2 PLPR 13 and 2 PLPR 36). In the search for new models for privacy legislation in NSW and elsewhere in Australia, there is much to be learnt from the experience of Canadian jurisdictions.
British Columbia's Freedom of Information and Protection of Privacy Act 1992 is similar to the WA and Queensland Acts in the powers of the Commissioner (Pt 5) to review the decisions of any public body concerning access to a record, or correction of personal information, and to make binding decisions at the conclusion of such a review. Part 2 of the Act sets out the freedom of information rights, and the usual lengthy list of exceptions to them, including an astonishingly detailed prescription of how the privacy rights of third parties are to be balanced against the right of access (s 22).
There is also a general 'public interest override' provision that requires the disclosure of information by the head of a public body ('whether or not a request for access is made') if the information is about a risk of significant harm to the environment, or the health or safety of the public or a group of people (s 25). In this case none of the exceptions in the Act apply, but the Commissioner and any third parties to whom the information relates must be informed before disclosure.
Information privacy principles covering purpose and method of collection, accuracy, correction, security, retention, use and disclosure of personal information are set out in Pt 3 ('protection of privacy'). The Commissioner can investigate and resolve complaints concerning any breaches of these duties of public bodies, and can make binding decisions requiring public bodies to comply with the principles (s 58). He has no power to award damages. Although judicial review of the Commissioner's decisions is available (see s 59), there is no general right of appeal.
The Commissioner has quite extensive general powers (s 42) to engage in investigations, audits, and public debate concerning public sector privacy issues, and has 'royal commission'-style investigatory powers (s 44).
The head of a public body may prescribe which categories of records it controls are available to the public on demand without an FOI request (that is, 'public registers') (s 71). The Commissioner does not appear to have any powers in relation to such decisions.
After eight months of his (non-renewable) six-year term, Commissioner Flaherty reports that his office opened 275 cases, of which 150 were requests for review of access or correction decisions and 82 were complaints concerning the information privacy principles. Over 75 per cent of the 115 completed cases were resolved by mediation, about 20 per cent were withdrawn or outside jurisdiction, and only six resulted in binding decisions by the Commissioner. All of these concerned access issues, and they are reported in full in the report. Unfortunately, no details of the mediated complaints are given, so the report says nothing about the nature or resolution of the complaints concerning the privacy principles.
There is little in the report on the Commissioner's role in giving advice on proposals (except for recommendations for sectoral legislation in the Pharmanet project) and being involved in public debate, because it was written so early in his term of office. His subsequent involvement in the Pharmanet debate (see 'Private Parts' in this issue), and his 'Delta Investigations' report show that he has since developed a much higher public profile.
Commenting on the impending European Directive on Data Protection, the Commissioner notes that the Act he administers, and the role of his office, 'would likely satisfy European expectations for the public sector in British Columbia'.
The British Columbia legislation is the equivalent of taking the WA or Queensland Freedom of Information Act and adding to it a set of information privacy principles (with the Commissioner having enforcement powers) similar to those in the Commonwealth Privacy Act 1988. Insofar as the public sector is concerned, it is a very strong example of privacy legislation (at least for the English-speaking world). It is more complete than the Commonwealth Privacy Act, because the Commissioner decides all appeals against agencies concerning the vital privacy issues of access to and correction of personal information, and the related decision of protection of the privacy of third parties whose information could be disclosed in FOI requests. These decisions are 'core business' of privacy protection, and require the development and application of a consistent privacy jurisprudence. In terms of numbers of decisions (though not necessarily their importance), access and correction decisions will always far exceed the numbers of complaints concerning other information privacy principles (such as disclosure or collection). On the one hand, there is a danger of a Privacy Commissioner's attention to other issues being swamped by the requirement to deal with numerous access decisions (particularly those not involving personal information at all). On the other hand, a Commissioner who is not so involved is excluded from the decisions which have the most immediate effect on individual privacy and involve the most detailed elaboration of privacy policies. It is like flying with only one wing.
The statistics from the British Columbia, Queensland and WA Commissioners all show that the majority of reviews of access decisions that a Commissioner conducts concern personal information, not FOI requests for 'policy' information. There is little danger that the 'privacy' functions of a Commissioner who combines both jurisdictions will be swamped by his more general FOI functions - if anything, it is the other way around. Nor do any of these Commissioners seem to find inherent conflicts between their 'privacy' and 'FOI' roles.