Privacy Law and Policy Reporter
NSW Attorney-General, Jeff Shaw, has announced details of a `revolutionary' NSW Privacy and Data Protection Bill 1996 which he says will be soon introduced. If enacted as promised, the NSW move will take the initiative from the Federal Government in setting privacy standards in the private sector in Australia, and will force a reaction from other Australian governments. It will also set the standard for privacy protection in the state and territory public sectors. The new privacy law will be administered by a new NSW human rights commission, which will merge the existing NSW Privacy Committee with the Anti-discrimination Board, and will be headed by Mr Chris Puplick.
The Bill has not yet been released, and it is understood that not all details have yet been finally approved by Cabinet. In releasing details, Mr Shaw was initially reacting to disclosures in the NSW Police Royal Commission that a paedophile in the NSW Department of Community Services had used his position to obtain details of young boys who he then approached to pose for photographs. The Bill will include criminal sanctions for public officials who use information corruptly. He subsequently released further details of the Bill, and his spokesperson has provided further clarifications.
Mr Shaw's office confirmed that the data protection principles would apply directly to NSW Government agencies, but could be modified for specific public sector bodies by regulations. Insofar as the private sector is concerned, the procedure would be different in that no enforceable principles would apply until the Commissioner drew up codes of conduct applying to various parts of the private sector. These codes would be issued by means of regulations. The Commissioner would normally draw up such codes in consultation with representative private sector bodies, but a code could be imposed on a sector that was dragging its feet.
A key matter which is unclear as yet is whether the modifications to the public sector principles, or the issuing of codes of conduct, will be by regulations (that is, made by the Government) or will be statutory instruments made by the Privacy Commissioner. Such codes are made by the Commonwealth Privacy Commissioner and the NZ Privacy Commissioners under their Acts, subject to the safeguard (in the Commonwealth case) of disallowance by Parliament. If the Commissioner is going to be the initial `negotiator' of codes with industry, it does not seem desirable that her or his efforts should then be able to be undermined by `closed door' appeals to a Minister for modifications. The open process of parliamentary disallowance has advantages.
It is also unclear what opportunity the public and public interest groups (such as consumer and civil liberties organisations) will have for input into the process of developing such codes/regulations -- or whether only `industry groups' will have an opportunity for input.
One of the dangers of the proposed approach, in relation to the private sector, is that it may have the potential for private sector coverage but fail to deliver it, if the government or Commissioner (whichever has the authority) fails to produce codes for major parts of the private sector. This might occur through lack of resources, lack of political will, or effective delaying tactics by industry. The contrasting approach in the NZ Privacy Act 1993, which allows codes to be developed but makes the private sector subject to a staged introduction of all the privacy principles unless and until codes are developed, gives a certainty of coverage after a phase-in period. Perhaps the NSW Bill will provide sufficient flexibility to guarantee this result -- it should.
Other details of the content of the privacy principles in the NSW Bill have not been released, but it can be expected that they will not be any weaker than those in the Commonwealth Privacy Act 1988. One of the few good features of the previous NSW Government's Privacy and Data Protection Bill 1994 (see 1 PLPR 41) was that it even improved on the Commonwealth IPPs, following suggestions by the NSW Privacy Committee, so it is hard to see the Shaw Bill being weaker.
This is an entirely desirable approach. The Federal Coalition Government's policy is that privacy reform is `a matter of the utmost priority' and requires `a consistent Australia-wide approach', but requires consultation with the states and a comprehensive parliamentary inquiry (see < 3 PLPR 1>). Nothing will better focus the attentions of the Commonwealth and other jurisdictions on privacy than a NSW Bill covering the private sector. A `national approach' will then emerge very fast.
Mr Shaw announced that Mr Chris Puplick, the current Chairman of the NSW Privacy Committee and President of the Anti-Discrimination Board, would be the new Privacy Commissioner and would head the new merged body. In congratulating Mr Puplick, Mr Shaw said he was `admirably and uniquely qualified for this crucial new role ... [and] had demonstrated his superior commitment, capacity and talents in both the positions he currently held'.
Such a merger was proposed by the Anti-discrimination Board in a submission to a Legislative Council Committee in 1994. Mr Shaw is reported as saying that he proposed the merger because the two bodies had similar complaints processes and both dealt with human rights issues, and it would be more efficient.
First, without in any way questioning Mr Puplick's undoubted abilities, or his suitability to head the new body, the fact is that he will be a part-time Privacy Commissioner and a part-time Anti-discrimination Commissioner. The demands of the new position of Privacy Commissioner, given the enormous expansion of the Commissioner's role in relation to both the public and private sectors, will require a full-time Commissioner if the job is to be done effectively. In particular, the first couple of years operation of the new privacy law will require the sustained application of the Commissioner's expertise and involvement in the development of codes, and in the interpretation of the new law. An expansion of privacy staff beyond the current inadequate staffing of the Privacy Committee (as promised by Mr Shaw) will help, but is no substitute for a full-time Commissioner.
NZ, a jurisdiction equivalent to NSW, has a full-time Privacy Commissioner, and other human rights Commissioners. The Commonwealth's Human Rights and Equal Opportunities Commission (HREOC), has a full-time Privacy Commissioner (who only has very limited private sector responsibilities) and six other Commissioners dealing with discrimination and other human rights issues. NSW would not be extravagant in having both a Privacy Commissioner and an Anti-discrimination Commissioner.
Second, while there ought to be efficiencies to be gained from merging administrative arrangements in the privacy and discrimination areas, HREOC's experience in complaint-handling ought to be a salutary lesson. HREOC complaint staff, experienced in handling discrimination complaints, took over privacy complaints for a period, but this approach was then abandoned and HREOC's Privacy Branch (that is the Privacy Commissioner's Office) now does all its own complaint investigation. There are good reasons why such a merger of complaint-handling is problematic. While privacy issues and discrimination issues do overlap, they often require very different expertise and resolution skills. For example, privacy issues increasingly requiring expertise in information technology, and resolution of discrimination issues very often requires considerable sensitivity to cultural and personal differences. It is likely to be difficult to find staff who are equally interested and able in handling both privacy and discrimination matters. It would be sensible for NSW to consider the Commonwealth approach.
On the strength of the details released so far, Mr Shaw's proposed Bill will be far superior to its predecessor. While `revolutionary' for Australia's retarded privacy laws, it will be comparable to modern privacy legislation in Europe, NZ, Québec and Hong Kong. If the fine print of the Shaw Bill lives up to the general approach that has been announced, NSW may regain the position that it held 20 years ago as an international leader in privacy protection. v
Graham Greenleaf is a Member of the NSW Privacy Committee, but this article presents a personal view and does not represent the views of the Committee.