Privacy Law and Policy Reporter
The Privacy and Personal Information Protection Bill 1998 introduced into Parliament by the New South Wales Government in September was a contender for ‘world’s worst practice’ in privacy legislation. The Bill gave only an illusion of privacy protection because a variety of drafting devices:
The Bill was a travesty of Attorney-General Jeff Shaw’s 1996 promise of ‘revolutionary’ privacy legislation (see (1996) 3 PLPR 17), and a testament to the power of the Cabinet Office and investigative agencies in NSW to exert their will over politicians.
On 29 October the amended Bill emerged from the NSW Legislative Council considerably improved, but still deformed and potentially harmful to privacy in many respects. In most respects, it is a bad model for privacy legislation in other jurisdictions. This article summarises the Bill as it now stands, but it will be analysed fully if and when it completes its passage through Parliament.
With considerable input and some drafting from consumer and privacy organisations, the Opposition, Greens and Democrats all proposed amendments. In some instances the Government supported amendments by the Greens and Democrats which the Opposition opposed, and in other instances amendments prevailed by the combined numbers of Opposition and a majority of the cross-benches. The Bill was amended to apply to State-owned corporations only on the casting vote of the Chairman.
The resulting Bill is such that the Government may allow it to pass the Legislative Assembly as it is when Parliament resumes on November 10, or it may pass an amended bill which does not cover State-owned corporations and return the Bill to the Legislative Council. Anything is still possible with this legislation, which has a long history of not happening.
The core of the Bill is that it provides for 11 ‘Information Protection Principles’ (IPPs), the content of which are essentially equivalent to those in the Commonwealth Privacy Act 1988. The IPPs only apply to the NSW public sector, including local government and prescribed bodies which are providing outsourced data services. Neither major party was willing to include the private sector at all, despite the Attorney-General’s 1996 commitment to do so to make NSW ‘EU-safe’. Codes of practice, made by Ministerial regulation and disallowable by Parliament, can modify the operation of the IPPs and provide exceptions to their operation.
Complaints of breaches of the IPPs will be investigated by the new NSW Privacy Commissioner (who the Government has previously said will be the current Chair of the Privacy Committee, Chris Puplick), and the NSW Privacy Committee will finally disappear after its 21 year history. The Commissioner can only mediate complaints, but complainants will be able to appeal (thanks to amendments) to the new Administrative Decisions Tribunal (headed by former Commonwealth Privacy Commissioner Kevin O’Connor). The Tribunal can award compensatory damages of up to $40,000 and can order remedial actions.
Amendments to the Bill by the Legislative Council have improved it considerably. The highlights follow.
(1) the jurisdiction has a privacy law applying to that information which the Privacy Commissioner has declared to be a relevant law; or
(2) there is a code of practice which allows such transfers (so as to accommodate where adequate protection can be provided by means other than legislation). The provision for a code of practice will give considerable flexibility so as to ensure that transfers which are in the public interest are not prevented. The provision will not operate for one year, to give time for a code to be developed.
(1) codes must provide standards of privacy protection which protect NSW agencies against data import restrictions (which should mean that any codes must be ‘adequate’ in terms of the EU Directive);
(2) codes can’t provide exemptions from the IPPs unless the Privacy Commissioner (not the Minister) is satisfied that the public interest in allowing the exemption outweighs the public interest in the agency complying with the IPP; and
(3) codes can’t impose a higher standard than the IPPs.
The result of (2) is that codes providing exemptions will in effect have to be approved by both the Commissioner and the Minister. The Bill provides elsewhere that the Privacy Commissioner must be consulted about any draft codes (s 31(1)-(4)). If the Commissioner is not satisfied, this could be grounds for disallowance or invalidity of a code. This seems to be a very prudent way of protecting the IPPs. To a significant extent this compensates for the effect of defeat of another amendment that would have allowed the Privacy Commissioner to make the codes.
Despite these improvements, the legislation still contains provisions which allow the Minister to repeal it in instalments, by regulations or by codes. These include provisions allowing information, or a class of documents, to be exempted from the definition of ‘personal information’ (s 4(3)) and allowing a person or body to be declared to be an ‘investigative agency’ (s 3) (s 24 exemptions then apply).
Codes of practice may weaken or inhibit the operation of the IPPs (s 30), but only where they ‘exempt’ a public sector agency from the operation of IPPs will the requirement of public interest justification (and the satisfaction of the Privacy Commissioner ) restrain a Minister.
Unlike in the Federal jurisdiction and in the privacy legislation of New Zealand and Hong Kong, the Minister, not the Privacy Commissioner, makes codes of practice (s 31). Public consultation by the Minister in the making of codes is not required by this Bill, and will depend to a large extent on how the Privacy Commissioner uses the requirement that he or she be consulted about proposed codes (s 31(1)-(3)).
The Bill already contains a wide range of specific exemptions additional to these potential exemptions, which have no equivalents in the Commonwealth Privacy Act 1988 despite it having been in effect for 10 years. These include exemptions for information or opinions about a person’s suitability for public sector office (s 4); sweeping exceptions for law enforcement activities by any public sector agencies (s 23); where any other Act implies or ‘reasonably contemplates’ an exemption (s 25); a complete exemption from the IPPs for the NSW Police Service, ICAC, Police Integrity Commission and NSW Crime Commission (s 27), except in relation to their administrative and educative functions; and partial (overlapping) exemptions for all investigative agencies (s 24), the Ombudsman, Health Care Complaints Commission, Anti-Discrimination Board, Guardianship Board and Community Services Commission, and for assorted other purposes (s 28). No doubt some of these exemptions are justified, but the Explanatory Memorandum and parliamentary debates give no explanation of any justification, and there will be no opportunity for the exemptions ever to be tested or questioned.
A proposed amendment to make the s 27 exemptions subject to a one year ‘sunset clause’, after which the NSW Police and other agencies would be subject to a code of practice which would specify which IPPs they would be exempt from and under what circumstances, was defeated.
In summary, the Bill already resembles Swiss cheese and may do so even more. It is privacy legislation for the less important bits of the NSW public sector.
The Bill is already inherently limited in scope, but its remaining value, if it passes the Legislative Assembly, will depend to a large extent on how it is administered or abused. The Attorney-General will control the making of codes of practice and other exemptions by regulation, and may or may not resist whittling the Act away to nothing. The Privacy Commissioner has the potential to resist unjustified ministerial attempts to so act, and bring them to public notice. Finally, the Parliament retains the right to disallow codes and regulations which unjustifiably reduce the Act’s operation. Privacy and consumer groups will have to attempt to assist both the Commissioner and the Parliament to be vigilant. This legislation is always going to be in peril of ‘death by a thousand exemptions’.
The principal inherent defect of the legislative, its gaping hole, is the near-complete exemption given to the NSW Police Service, and other NSW investigative agencies. Judicial interpretation of what is an ‘administrative function’ of these agencies may impose some limitation on this. It must be remembered that NSW Police participation in the ‘information exchange club’ exposed by ICAC was one of the initial reasons for this legislation (see (1994) 1 PLPR 47). Politicians have selective memories.
We will have to wait to see whether this legislation serves mainly as a justification for increased surveillance and abuses of privacy, under the excuse of ‘its all done in accordance with the privacy legislation’, or whether it serves a limited but useful role in privacy protection.