Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Greenleaf, Graham --- "NSW privacy Bill passes Legislative Council" [1998] PrivLawPRpr 64; (1998) 5(4) Privacy Law & Policy Reporter 69

NSW privacy Bill passes Legislative Council

The legislative process
Essential elements
First, some good news
Remaining limits and weaknesses
An initial assessment

NSW privacy Bill passes Legislative Council

Graham Greenleaf

The Privacy and Personal Information Protection Bill 1998 introduced into Parliament by the New South Wales Government in September was a contender for ‘world’s worst practice’ in privacy legislation. The Bill gave only an illusion of privacy protection because a variety of drafting devices:

• gave complete exemptions to all police and investigative agencies;
• made three of its 11 ‘Information Protection Principles’ inapplicable to any agencies;
• allowed the Minister to exempt any agency from any part of the Bill; and
• in a remarkable Catch-22, required any complainant to forfeit all rights to an enforceable remedy if they allowed the Privacy Commissioner to investigate and mediate their complaint.

The Bill was a travesty of Attorney-General Jeff Shaw’s 1996 promise of ‘revolutionary’ privacy legislation (see (1996) 3 PLPR 17), and a testament to the power of the Cabinet Office and investigative agencies in NSW to exert their will over politicians.

On 29 October the amended Bill emerged from the NSW Legislative Council considerably improved, but still deformed and potentially harmful to privacy in many respects. In most respects, it is a bad model for privacy legislation in other jurisdictions. This article summarises the Bill as it now stands, but it will be analysed fully if and when it completes its passage through Parliament.

The legislative process

With considerable input and some drafting from consumer and privacy organisations, the Opposition, Greens and Democrats all proposed amendments. In some instances the Government supported amendments by the Greens and Democrats which the Opposition opposed, and in other instances amendments prevailed by the combined numbers of Opposition and a majority of the cross-benches. The Bill was amended to apply to State-owned corporations only on the casting vote of the Chairman.

The resulting Bill is such that the Government may allow it to pass the Legislative Assembly as it is when Parliament resumes on November 10, or it may pass an amended bill which does not cover State-owned corporations and return the Bill to the Legislative Council. Anything is still possible with this legislation, which has a long history of not happening.

Essential elements

The core of the Bill is that it provides for 11 ‘Information Protection Principles’ (IPPs), the content of which are essentially equivalent to those in the Commonwealth Privacy Act 1988. The IPPs only apply to the NSW public sector, including local government and prescribed bodies which are providing outsourced data services. Neither major party was willing to include the private sector at all, despite the Attorney-General’s 1996 commitment to do so to make NSW ‘EU-safe’. Codes of practice, made by Ministerial regulation and disallowable by Parliament, can modify the operation of the IPPs and provide exceptions to their operation.

Complaints of breaches of the IPPs will be investigated by the new NSW Privacy Commissioner (who the Government has previously said will be the current Chair of the Privacy Committee, Chris Puplick), and the NSW Privacy Committee will finally disappear after its 21 year history. The Commissioner can only mediate complaints, but complainants will be able to appeal (thanks to amendments) to the new Administrative Decisions Tribunal (headed by former Commonwealth Privacy Commissioner Kevin O’Connor). The Tribunal can award compensatory damages of up to $40,000 and can order remedial actions.

First, some good news

Amendments to the Bill by the Legislative Council have improved it considerably. The highlights follow.

• Complainants no longer lose their right to enforceable remedies if they allow the Privacy Commissioner to mediate, due to the deletion of s 51(1) from the Bill. This is a major amendment, without which the Bill was worthless.
  
  
• The Bill contains the first data export prohibition provision in Australian law. The Bill now provides (s 19(2)) that a NSW public sector agency cannot transfer personal data to a person or body in a jurisdiction outside NSW unless:

(1) the jurisdiction has a privacy law applying to that information which the Privacy Commissioner has declared to be a relevant law; or

(2) there is a code of practice which allows such transfers (so as to accommodate where adequate protection can be provided by means other than legislation). The provision for a code of practice will give considerable flexibility so as to ensure that transfers which are in the public interest are not prevented. The provision will not operate for one year, to give time for a code to be developed.

• Although the Minister, not the Privacy Commissioner, will still make codes of practice (s 31(5)), the Minister’s discretion is no longer unconstrained, but must now be exercised subject to three conditions under s 29(6):

(1) codes must provide standards of privacy protection which protect NSW agencies against data import restrictions (which should mean that any codes must be ‘adequate’ in terms of the EU Directive);

(2) codes can’t provide exemptions from the IPPs unless the Privacy Commissioner (not the Minister) is satisfied that the public interest in allowing the exemption outweighs the public interest in the agency complying with the IPP; and

(3) codes can’t impose a higher standard than the IPPs.

The result of (2) is that codes providing exemptions will in effect have to be approved by both the Commissioner and the Minister. The Bill provides elsewhere that the Privacy Commissioner must be consulted about any draft codes (s 31(1)-(4)). If the Commissioner is not satisfied, this could be grounds for disallowance or invalidity of a code. This seems to be a very prudent way of protecting the IPPs. To a significant extent this compensates for the effect of defeat of another amendment that would have allowed the Privacy Commissioner to make the codes.

• All public registers must now comply with Pt 6, without the Minister first having to make a regulation to say that they are included. However, the Minister can make codes of practice concerning the application of Pt 6 to any public sector agency. Part 6 requires an agency to be satisfied that personal information it discloses via a register is to be used for a purpose related to the purpose of the register or the Act under which it is kept (s 57). It also allows agencies to keep some information in public registers as ‘silent entries’ in order to protect a person’s safety or well-being, unless this is outweighed by the public interest in not suppressing the information (s 58).
  
  
• State-owned corporations are now included under the legislation. It was only the casting vote of the Chairman of Committees which secured this amendment. The Government claimed that this would put State-owned corporations at a competitive disadvantage, but this was rejected by the Opposition, Greens and Democrats who noted that some are government monopolies and some were criticised by the Independent Commission Against Corruption’s report on corrupt information exchange which helped lead to this legislation.
  
  
• A couple of the devices which had the potential to destroy the Act by accumulated exemptions have been removed. All parties supported an amendment to delete the provision which exempted all agencies which are subject to the Freedom of Information Act 1989 (FOI Act) from the access and correction IPPs in this Bill. The Bill now merely confirms (s 20(6)) that any provisions of the FOI Act which impose limitations or restrictions will apply as if they were part of this Act. The two Acts will therefore remain consistent, but the extra protections provided by the IPPs will apply. Also, the Minister’s ability to exempt documents by merely claiming they were ‘publicly available information’ has been removed.

Remaining limits and weaknesses

Despite these improvements, the legislation still contains provisions which allow the Minister to repeal it in instalments, by regulations or by codes. These include provisions allowing information, or a class of documents, to be exempted from the definition of ‘personal information’ (s 4(3)) and allowing a person or body to be declared to be an ‘investigative agency’ (s 3) (s 24 exemptions then apply).

Codes of practice may weaken or inhibit the operation of the IPPs (s 30), but only where they ‘exempt’ a public sector agency from the operation of IPPs will the requirement of public interest justification (and the satisfaction of the Privacy Commissioner ) restrain a Minister.

Unlike in the Federal jurisdiction and in the privacy legislation of New Zealand and Hong Kong, the Minister, not the Privacy Commissioner, makes codes of practice (s 31). Public consultation by the Minister in the making of codes is not required by this Bill, and will depend to a large extent on how the Privacy Commissioner uses the requirement that he or she be consulted about proposed codes (s 31(1)-(3)).

The Bill already contains a wide range of specific exemptions additional to these potential exemptions, which have no equivalents in the Commonwealth Privacy Act 1988 despite it having been in effect for 10 years. These include exemptions for information or opinions about a person’s suitability for public sector office (s 4); sweeping exceptions for law enforcement activities by any public sector agencies (s 23); where any other Act implies or ‘reasonably contemplates’ an exemption (s 25); a complete exemption from the IPPs for the NSW Police Service, ICAC, Police Integrity Commission and NSW Crime Commission (s 27), except in relation to their administrative and educative functions; and partial (overlapping) exemptions for all investigative agencies (s 24), the Ombudsman, Health Care Complaints Commission, Anti-Discrimination Board, Guardianship Board and Community Services Commission, and for assorted other purposes (s 28). No doubt some of these exemptions are justified, but the Explanatory Memorandum and parliamentary debates give no explanation of any justification, and there will be no opportunity for the exemptions ever to be tested or questioned.

A proposed amendment to make the s 27 exemptions subject to a one year ‘sunset clause’, after which the NSW Police and other agencies would be subject to a code of practice which would specify which IPPs they would be exempt from and under what circumstances, was defeated.

In summary, the Bill already resembles Swiss cheese and may do so even more. It is privacy legislation for the less important bits of the NSW public sector.

An initial assessment

The Bill is already inherently limited in scope, but its remaining value, if it passes the Legislative Assembly, will depend to a large extent on how it is administered or abused. The Attorney-General will control the making of codes of practice and other exemptions by regulation, and may or may not resist whittling the Act away to nothing. The Privacy Commissioner has the potential to resist unjustified ministerial attempts to so act, and bring them to public notice. Finally, the Parliament retains the right to disallow codes and regulations which unjustifiably reduce the Act’s operation. Privacy and consumer groups will have to attempt to assist both the Commissioner and the Parliament to be vigilant. This legislation is always going to be in peril of ‘death by a thousand exemptions’.

The principal inherent defect of the legislative, its gaping hole, is the near-complete exemption given to the NSW Police Service, and other NSW investigative agencies. Judicial interpretation of what is an ‘administrative function’ of these agencies may impose some limitation on this. It must be remembered that NSW Police participation in the ‘information exchange club’ exposed by ICAC was one of the initial reasons for this legislation (see (1994) 1 PLPR 47). Politicians have selective memories.

We will have to wait to see whether this legislation serves mainly as a justification for increased surveillance and abuses of privacy, under the excuse of ‘its all done in accordance with the privacy legislation’, or whether it serves a limited but useful role in privacy protection.