Privacy Law and Policy Reporter
New options for resolving the 'privacy/FOI overlap problem' which are under consideration by the Australian Law Reform Commission and the Administrative Review Council could eliminate the Privacy Commissioner's role in dealing with complaints concerning access to and correction of personal information. This is an unexpected development which strikes at the heart of privacy protection and which seems at odds with other moves toward more comprehensive privacy legislation in Australia.
The ALRC and ARC are conducting a joint review of the Commonwealth Freedom of Information Act 1982, and issued a Discussion Paper in May 1995 (No 59, Freedom of Information - see 2 PLPR 95 for a summary). The Discussion Paper does include valuable proposals concerning FOI and privacy, particularly its endorsement of the extension of access and correction rights to the private sector, but the benefits of the review could be undone by an unwise fragmentation of privacy protection.
The 'privacy-FOI overlap problem' has a number of dimensions. First, for a person to access government documents concerning his or herself is both an exercise of what is traditionally called 'freedom of information' rights (and by far the most common exercise of such rights) and is also one of the three cornerstones of information privacy protection (the others are limits on collection and limits on disclosure). Access to your own records has always been regarded as the indispensable starting point of privacy legislation and international privacy agreements.
The second dimension is the protection of the privacy of third parties; information about whom is included in documents to which access is sought. A balance must therefore be struck between the privacy interest of the third party and the interests supporting access (both public interest considerations and, in some cases, the privacy interest of the applicant -- though courts have accommodated this interest in different ways). The balancing test is contained in s 41 of the Commonwealth FOI Act, and is reflected in IPP 11 in the Privacy Act (which means that disclosures of third-party personal information in accordance with s 41 of the FOI Act do not breach IPP 11).
The third dimension is an historical accident. Australian FOI Acts include a right to obtain corrections to documents which are about a person's 'personal affairs' or (more recently) 'personal information'. No such correction rights apply in relation to 'non-personal' information. No such correction rights occur in the US Federal FOI Act (they are in the Privacy Act 1974). As the ALRC Discussion Paper explains, 'It was originally envisaged that amendment facilities would be provided in privacy legislation. Because there was no privacy legislation at the time the FOI Act was introduced, however, amendment facilities were included in the FOI Act' [para 8.2]. This expedient in the 1982 Commonwealth FOI Act has replicated itself in all state FOI Acts for the same reason - no state had enacted privacy legislation implementing a set of information privacy principles prior to enacting FOI, so correction became 'bundled' with FOI.
Information Privacy Principles (IPPs) 6 and 7 in the Privacy Act 1988 (Cth) provide access and correction rights, while making it clear that they are subject to conditions and exceptions similar to (though probably not identical with) those found in the FOI Act. In theory, therefore, an applicant/complainant has alternative remedies in relation to access and/or correction of documents/records containing personal information, the 'FOI route' (ultimately via appeal to the AAT) or by complaint to the Privacy Commissioner once an agency refuses access or correction. One signal difference between the two routes is that the Privacy Commissioner has powers to award compensatory damages and other remedies for breaches of the IPPs, remedies entirely absent from the FOI structure.
The Discussion Paper explains that 'the only reason that [the current overlap] has not caused significant practical problems to date is because the Privacy Commissioner has left complaints relating to access and amendment of personal information to be dealt with under the FOI Act' [para 8.3] (see 2 PLPR 95). Another Privacy Commissioner might, of course, take a different approach. It is also possible that a complaint could seek administrative law remedies to force the Commissioner to exercise his jurisdiction under IPPs 6 and 7.
There is also an important question of whether the availability of compensatory or other remedies is appropriate and necessary where individuals have suffered harm through denial of access to or correction of personal information, or whether such situations can be dealt with under other IPPs. The ALRC-ARC was considering a merger of FOI and privacy legislation in the Discussion Paper, and (perhaps in consequence) does not raise this issue. Their new options mean that the question cannot be avoided.
The ALRC-ARC's May 1995 Discussion Paper includes draft proposals based on leaving the AAT as the decision-making body concerning all three of the 'overlap' issues listed above. It does not include any specific proposals to remove the Privacy Commissioner's powers under IPPs 6 and 7, but instead contemplates a longer-term merger of the FOI Act, Privacy Act and Archives Act into a single Act, administered jointly by the proposed FOI monitor, the Privacy Commissioner, and the Director-General of Archives (perhaps as a new body; the Information and Privacy Commission).
However, the ALRC has subsequently circulated a set of revised options to its consultants, differing from those in the Discussion Paper. An option which is now receiving serious consideration is that the Privacy Act should contain a provision which formalises the de facto situation outlined above, by removing the Privacy Commissioner's jurisdiction to deal with access and correction complaints. Unfortunately, the ALRC is unable to provide any details of this option to the Reporter prior to the release of its final report (proposed for December), so it is possible that there are subtleties in the proposed approach which are not properly reflected in the criticisms which follow in this article.
In this short article it is only possible to sketch reasons why the ALRC-ARC option should be questioned, not to argue them in full detail.
This aspect of privacy protection is a statutory tort, not just an administrative law remedy. It is not appropriate to place it in an administrative law context.
Graham Greenleaf, General Editor.