Privacy Law and Policy Reporter
This is an edited version of a paper present at the Privacy & Data Protection Conference, 15 and 16 June 1998 in Sydney by Kerryn Newton, Research Director of the Legal, Constitutional and Administrative Review Committee of the Queensland Parliament. The text of the 32 recommendations made by the Committee in its report, and referred to in this article, is at (1998) 5 PLPR 49.
The Queensland Government is required to respond to the Committee’s recommendations (see 5 PLPR 49 for the legislative provisions requiring the Government to respond, and ‘Private Parts’ in this issue for the response and the current status of the Committee’s recommendations — General Editor)
In late 1996 the then recently-established Legal, Constitutional and Administrative Review Committee (LCARC) of the Queensland Parliament resolved that it would conduct an inquiry into privacy in Queensland. After an extensive consultation and deliberation process, the committee tabled its report in April this year. This paper outlines the background to the committee’s inquiry including its terms of reference and consultation process and its findings, particularly regarding information privacy, as set out in its report.
The second LCARC was established in April 1996 and immediately set itself a busy agenda in addressing matters within its areas of responsibility. These areas, as the committee’s name suggests, are legal reform, constitutional reform, electoral reform and administrative review reform.
One of the issues on this agenda, and to which the committee gave a high priority, was privacy. The committee’s reasons for this stemmed from a number of observations. Primarily, the committee was concerned as to the adverse effect that modern technology is having on individuals’ privacy. In the case of information privacy, the committee recognised the social and economic conveniences brought about by technologies which allow for high-volume processing, retention and instantaneous transmission of data. However, the committee shared the concerns expressed by others as to the effect that the same technology was having on the privacy of individuals’ personal information. In addition, the committee had concerns as to the ability for modern sophisticated audio and visual surveillance technology to infringe individuals’ communications and territorial privacy.
The second reason why the committee saw privacy as an area in need of review was due to the paucity of privacy protection currently offered in Queensland. In the absence of a State equivalent to the Commonwealth Privacy Act, privacy protection in Queensland is essentially limited to ad hoc protection offered by the common law and some scant statutory protection. The most ‘comprehensive’ privacy statute in Queensland, the Invasion of Privacy Act 1971 (Qld), is confined to regulating access to, and disclosure of, reports of credit reporting agents. The Act also makes it an offence to use listening devices and to enter a dwelling house without consent or by force, threat, deceit or false representations.
At one stage, Queensland did have a privacy committee. This committee was established under the 1984 Queensland Privacy Committee Act which was based on the New South Wales legislation of the same name. However, that committee’s functions and powers were limited and — pursuant to a sunset clause — it ceased to exist in 1991. Notably, in its final reports, the privacy committee recorded the need for comprehensive privacy legislation in Queensland covering territorial, personal, information and communications privacy. It also recommended revised terms of reference for a new privacy committee which would give that entity wider functions and powers, and more autonomy from the Executive. Neither that legislation nor the new committee was to eventuate.
Interestingly, privacy was not the subject of a report by Queensland’s former Electoral and Administrative Review Commission (commonly known as EARC). EARC was established following the Fitzgerald Inquiry of the late 1980s in order to address the deficiencies in Queensland’s then almost non-existent administrative and human rights law. Much of Queensland’s current administrative law, such as the Freedom of Information Act 1992 (Qld) and Judicial Review Act 1991 (Qld), emanated as a result of EARC’s work.
In its report on freedom of information, EARC stated that it was aware of the increasing demand for legislation protecting personal privacy. Further, EARC advised that while in that report it had attempted to promote the protection of information privacy, privacy principles were of such importance as to warrant separate review and legislation. Thus, EARC recommended that the government consider a review of privacy and the introduction of general privacy legislation. No such public review had been undertaken by 1996 when the committee first looked at this issue.
Against this background, the committee felt that there was a real need for a detailed, open review of privacy in Queensland.
The committee made a conscious decision not to set detailed terms of reference for its inquiry. The committee simply decided that it would conduct an inquiry into the adequacy of existing measures in Queensland which protect the privacy of individuals, and consider whether the introduction of further measures to enhance the privacy of individuals was desirable. The aim of this approach was to hear from the people of Queensland as to where their privacy concerns lay.
As a necessary part of this open approach, the committee embarked on a plan of wide public consultation which commenced with the release of an issues paper comprising some 23 issues designed to assist those making public submissions. The committee held a public seminar at which attendees heard from six people who represented a variety of organisations each with a different perspective on the issue of privacy. Recognising the importance of hearing from people outside Brisbane the committee also held public hearings on the Gold Coast and in Townsville.
From the outset it became very clear that many people and organisations had privacy concerns which they felt were not being adequately covered by Queensland’s current law. The majority of these concerns related to the privacy of personal information, particularly that collected, held and used by Queensland government departments and agencies. This is not to say that people did not have privacy concerns in other areas. Additional privacy matters brought to the committee’s attention included information privacy concerns relating to local government and the private sector, and non-information privacy concerns, particularly with respect to surveillance in public and private places.
Perhaps more so than with other issues, wide public consultation proved to be invaluable to the committee’s inquiry. As is evident from the committee’s report, public submissions formed a critical part of its deliberations.
As a result of both the committee’s decision not to restrict its inquiry to any particular category of privacy, and the subsequent breadth of issues raised in public consultation, the committee ended up with a gamut of privacy issues to consider and report upon.
The committee’s approach to this task was to first determine the threshold issue as to the adequacy of Queensland’s privacy laws. The committee had little trouble in determining that not only was the law inadequate, but that there were valid privacy concerns which needed to be addressed by legislative and/or administrative action. [Rec 1]
Therefore, the committee recommended that the Queensland government introduce measures to ensure the greater protection of individuals’ privacy. In particular, the committee recommended that the privacy protection of personal information held by Queensland government departments and agencies be addressed as a matter of priority. [Rec 1]
Following on from this, the committee canvassed a number of options which could be employed in addressing this priority area of information privacy in the public sector. The options considered by the committee — which it recognised could operate either in isolation or in combination — were a statutory tort of privacy, information privacy principles (IPPs) and/or a privacy commissioner or committee. After a careful analysis, the committee determined that a combination of IPPs and a privacy commissioner or committee to be established under a proposed Queensland Privacy Act was the most appropriate course of action. [Recs 3 and 4]
The committee considered that a statutory tort of privacy alone was undesirable given enforcement costs, the reactive manner in which a tort would operate, and the fact that it would not represent a clear, explicit and comprehensive statement as to what is good privacy practice. The committee also concluded that a statutory tort in combination with other forms of privacy protection was undesirable given that the tort could be used to prevent the legitimate exercise of the freedoms of speech, communication and the press. [Rec 2]
In effect, this approach meant that the committee formulated a framework for privacy regulation in Queensland. The benefit of this approach was that not only did this framework serve to address information privacy in the public sector, but it also established a structure within which other wider privacy concerns could be addressed.
The committee’s starting point for IPPs to apply to Queensland’s public sector were the IPPs in s 14 of the Privacy Act (Cth). The committee’s reasons for this were:
(1) these IPPs are based on the OECD Guidelines (governing the protection of privacy and transborder flows of personal data) and as such represent international best practice; and
(2) by Queensland adopting these IPPs there would be consistency between Commonwealth and Queensland privacy regimes. In turn, this would create certainty for clients as to their privacy rights — irrespective of whether they were dealing with a State or Federal agency — and make it easier for agencies to comply with both State and Commonwealth legislation.
Many submissions to the committee endorsed the notion that Queensland adopt or at least model its IPPs on those applicable at the Commonwealth level. A small number of departmental submissions did argue that these IPPs were unsuitable because they were designed for the Commonwealth, and that any IPPs to apply to Queensland’s public sector needed to be tailored to suit the State’s particular needs. However, upon closer examination, the committee concluded that any State concerns that needed to be addressed could be dealt within the context of modifications and exceptions to the application of the IPPs. Therefore, the committee recommended that the IPPs to apply to Queensland’s public sector be modelled on those of the Commonwealth. [Rec 5]
However, the committee added that it recognised the desirability for consistency between privacy regimes applying to the public and private sectors, given the increasingly blurred distinction between these sectors. Therefore, the committee recommended that the Queensland government monitor current moves in relation to reaching agreement on national privacy principles for the private sector and the adoption of those principles by other jurisdictions. The committee made it clear in its recommendation that at some future stage the Queensland government should consider adopting any such national principles if doing so would achieve the goal of national consistency in information privacy regimes applicable to all Australian public and private sectors. [Rec 5]
The committee was firmly of the view that, for IPPs to be truly effective, they needed to be in legislation; namely, the proposed Privacy Act (Qld). In particular, the committee wanted to ensure that compliance with the IPPs would be mandatory and that individuals would be able to enforce their information privacy rights. [Rec 6]
In reaching this conclusion the committee refuted the argument by some (including the Department of Justice) that the IPPs be implemented at least initially by way of administrative instruction, partly as this would result in a saving of cost. Although the committee recognised that implementation of its regime would involve some cost to agencies, it had difficulty seeing how the costs associated with implementation of the same set of IPPs, whether by legislation or administrative instruction, would differ. The committee believed that the more effective way to defray implementation cost was to phase the IPPs in over a period not exceeding one year. [Rec 3]
Having recommended that Queensland implement legislative IPPs modelled on those of the Commonwealth, the committee then considered important aspects of the application of the IPPs.
Firstly, the committee recognised that the IPPs are broad principles and that there may need to be some mechanism whereby these principles can be tailored to more appropriately suit a particular agency, or class or type of activity. New Zealand’s Privacy Act accommodates this by allowing for the modification of the application of the New Zealand IPPs by codes of practice.
Whilst the Privacy Act (NZ) applies to both the public and private sectors, the committee saw merit in similar ‘code of practice’ provisions being built into its proposed privacy legislation despite the legislation, at least initially, only applying to the State’s public sector. Areas in which the committee foreshadowed the possible need for a code of practice included the sharing of information required for the protection of children, persons with an impaired decision-making ability and the aged.
Thus, the committee recommended that the entity administering the Queensland legislation be able to modify the application of the IPPs by way of codes of practice promulgated as disallowable instruments. The provisions in Queensland’s Privacy Act in relation to these codes were recommended to be modelled on those contained in Pt VI of the Privacy Act (NZ). [Rec 7]
The committee also considered in what circumstances there should be exceptions to compliance with the IPPs. Clearly, there will be some circumstances in which the public interest will outweigh compliance with the IPPs. Some of the more obvious exceptions — such as law enforcement and medical emergencies — are specifically incorporated in the Commonwealth IPPs themselves. Thus, the committee endorsed the inclusion of these exceptions in the Queensland IPPs, although with some slight modifications in respect of the ‘public revenue’ and ‘law enforcement’ exceptions. Basically, the committee sought to insert an additional balance mechanism in both of these exceptions. This mechanism, if adopted, will require a designated senior officer of the public revenue collection body or law enforcement agency seeking personal information from an agency, to certify to that agency that that particular information is required for specific, relevant purposes. [Rec 8]
To cater for other ‘public interest’ exceptions to compliance with the IPPs, the committee recommended that the Queensland Privacy Act contain a part modelled on Pt VI of the Privacy Act (Cth) pursuant to which the entity administering the Queensland legislation will have the ability to make ‘public interest determinations’. Such determinations would allow approved conduct or practices that would otherwise be in breach of the IPPs. [Rec 8]
In terms of the application of the IPPs to information held at the commencement of the proposed legislation, the committee did recommend some slight deviation from the approach in s 15 of the Privacy Act (Cth) In essence, the committee recommended that IPPs 10 and 11 which relate to limits on use and disclosure of personal information should apply, as far as is reasonable, to information collected both before and after the commencement of the Privacy Act. (Currently s 15 of the Privacy Act (Cth) provides that these two principles only apply to information collected after the commencement of that Act.) [Rec 9]
Further, the committee recommended that special provision be made to the application of the access principle (IPP 6 of the Commonwealth IPPs) to health records. In this regard, the committee has followed the approach in the ACT’s Health Records (Privacy and Access) Act 1997 and drawn a distinction between evaluative and factual information. Thus, the committee recommended that the access principle apply to health records, or entries made on an existing record, where these occurred after the date of commencement of the Privacy Act (Qld). However, in cases where matters of fact are concerned, a person should have a right of access to these records whenever they were prepared. [Rec 9]
Naturally, the committee was concerned that Queensland’s privacy legislation should have a workable relationship with other legislation regarding access to information held by the government; namely, freedom of information (FOI) and archives legislation. In the case of archives legislation, the committee recommended that the approach in the Privacy Act (Cth) be followed, that is, the definition of ‘record’ in Queensland’s privacy legislation should not include a record in the ‘open access’ period as currently set out in the regulations to Queensland’s archives legislation. [Rec 11]
The interrelationship of proposed privacy legislation with Queensland’s FOI legislation is a little more complex. Primarily, the committee had two issues to consider.
(1) A difficulty arises because Queensland’s FOI Act uses the term ‘information concerning the personal affairs of a person’ in the provisions relating to exemption from access and amendment of information. While this phrase is not defined in the FOI Act, it is generally recognised as not being as broad in scope as the term ‘personal information’ which is used in both the Commonwealth privacy and FOI legislation. After some deliberation, the committee remained unconvinced that consistency in terminology is vital, particularly if the objectives of both pieces of legislation are to be achieved.
(2) The committee considered the proper location of the ‘access and amendment’ provisions. The committee’s preference was that these provisions should be located in its proposed privacy legislation on the basis that access to, and amendment of, personal information is essentially a privacy right.
In the final analysis the committee recommended that, given the complexity of issues arising in considering the interrelationship between the FOI Act and the proposed Privacy Act, Queensland’s Information Commissioner be extensively consulted with in the drafting of the Privacy Act and any consequential amendments to the FOI Act. However, the committee also recommended that during that process its observations outlined above be taken into account. [Rec 10]
The second element of the committee’s privacy regime was the establishment of a statutory privacy committee or commissioner. After carefully weighing up the advantages attaching to each model, the committee concluded that its proposed privacy legislation should be administered by a full-time Queensland Privacy Commissioner whose sole responsibilities are to relate to privacy. [Recs 12 and 15]
However, the committee recommended that the Commissioner be assisted by a privacy advisory committee with a broad membership representative of organisations covered by the privacy regime and other interested persons. The provisions in Queensland’s Privacy Act relating to the establishment, constitution and functions of this advisory committee are to be broadly modelled on those relating to the similar committee operating under the Commonwealth Privacy Act. [Rec 12]
The committee has recommended that the Queensland Privacy Commissioner have similar functions and powers to his/her Commonwealth counterpart with some slight amendments. Thus, the Commissioner’s functions will include receiving and investigating complaints about breaches of the IPPs, conducting audits of compliance with the IPPs and conducting education in relation to the operation of the IPPs. [Recs 13 and 14]
In addition, the committee has made it clear that some of the functions the Queensland Privacy Commissioner are to relate to ‘non-information’ as well as information privacy concerns. The Commonwealth Privacy Act does not explicitly state that the federal Privacy Commissioner has functions in relation to privacy other than information privacy. [Rec 27]
In the case of the Commissioner’s powers, these slight amendments relate to the appeal and review mechanisms open to complainants, and to the Commissioner’s reporting powers which the committee recommended should be broadly drafted so as to permit the Commissioner to report to the Minister and Parliament in relation to any matter within his/her jurisdiction. [Rec 14]
A final point about the Queensland Privacy Commissioner which is important to note is that the committee has recommended that the Commissioner be an officer of the Parliament. The committee believed that if the Commissioner is to be, in effect, a privacy ‘watchdog’ over the government, then the office must be sufficiently independent. This is not an unprecedented move as other jurisdictions, such as Canada, have also made their privacy commissioners officers of Parliament. [Rec 16]
The committee further recom-mended that LCARC itself should be the conduit through which this accountability to Parliament takes place, and as such it should be consulted in relation to the Commissioner’s appointment,suspension and removal, and the formulation of the office’s budget. [Rec 16]
Throughout its inquiry the committee was conscious of the blurring in demarcation between the public and private sectors being brought about by the corporatisation and outsourcing of services traditionally provided by governments.
In its report the committee dealt with the scope of its privacy regime in this regard, and recommended that its proposed legislation should apply to:
Additional notable recommendations which are aimed at ensuring the effectiveness of the committee’s privacy regime include:
Part 3 of the committee’s report deals with information privacy in the private sector. Not surprisingly this was an area in relation to which the committee received a large number of submissions. It was also an area in which there was a lot of activity and comment during the course of the committee’s inquiry, not the least of which was the release of the federal Privacy Commissioner’s ‘National principles for the fair handling of personal information’.
Overall, submissions to the committee stated that privacy regulation additional to that which currently exists should apply to the private sector. Many submissions from government departments and agencies and advocacy, consumer and other groups argued that this additional regulation should be via legislation. Submissions received from private sector organisations varied in their responses as to whether self-regulation beyond current self-regulation was required, although there was a clear message that if any scheme is to be introduced it must be done in a nationally consistent manner rather than on a State-by-State basis.
In light of these submissions and the committee’s research, the committee concluded that there were concerns in the community as to the level of privacy protection afforded to personal information in the private sector. It was not convinced that the current law and/or market processes are adequately addressing these concerns. Therefore, the committee concluded that the private sector should be subject to further regulation than that which currently applies.
As to the form of this further regulation, the committee identified two main options: a more structured self-regulatory scheme such as that which the federal Privacy Commissioner is currently developing; or a legislative scheme such as that initially proposed by the federal Attorney-General in September 1996.
However, the committee, without discussing these options further, saw national consistency as an overriding factor. On this basis, it recommended that the Queensland government support the federal Privacy Commissioner’s current consultation process in line with the Federal Government’s position, to reach agreement on a national scheme relating to information privacy in the private sector. However, the committee stressed that this national scheme should incorporate both best practice privacy standards and effective supervisory, enforcement and complaint resolution mechanisms. [Rec 25]
The committee separately canvassed the privacy of health information in the private sector in recognition of the specific consideration which needs to be given to this area. Whilst the committee’s recommendation in part copied that above in relation to privacy in the private sector, the committee did add that, once established, the Queensland Privacy Commissioner should review the protection afforded to health information in the private sector and make any necessary recommendations. [Rec 26]
Part 4 of the committee’s report deals with other specific information and non-information privacy concerns.
The committee felt it was important that the Queensland Privacy Commissioner explicitly be given jurisdiction to deal with non-information privacy concerns. Thus, recommendation 27 makes it clear that certain of the Commissioner’s broader functions, such as conducting education and publishing guidelines for the avoidance of privacy intrusive acts or practices of an agency, should also relate to non-information privacy matters such as surveillance.
The four main information and non-information privacy concerns canvassed in Part 4 are, briefly, as follows.
(1) Surveillance. It was obvious from submissions that the use of surveillance in both the public and private sectors is of concern to the community. Therefore, the committee recommended that, upon establishment, the Queensland Privacy Commissioner inquire into surveillance undertaken by the private and public sectors in Queensland, and that such an inquiry should draw upon the consultation undertaken by, and the research and findings of, the NSW Law Reform Commission in relation to its current surveillance inquiry. [Rec 28]
(2) Smart cards and electronic commerce. The committee recognised the number of privacy issues arising from the various existing and potential applications of smart cards and the wider area of electronic commerce. In the case of the use of smart cards by government departments and agencies, the committee noted that smart card systems would be required to comply with the IPPs in its proposed legislation. However, the committee recommended that the Queensland Privacy Commissioner:
(3) Genetics. There will no doubt be a realisation of, and an expansion in, the privacy and discrimination issues arising from the area of genetics in the very near future. For this reason, the committee felt that genetics should be raised in a comprehensive report on privacy. Unfortunately, time and resources did not permit the committee to conduct specific consultation or research in relation to each of the issues identified in relation to genetics. Further, it recognised that many genetic-related issues obviously would be better dealt with on a national rather than State-by-State basis. Therefore, the committee recommended that genetics be the subject of further consultation and inquiry by the Queensland Privacy Commissioner, such inquiry to be undertaken in light of developments at the federal level and in conjunction with relevant federal bodies. [Rec 30]
(4) The media. A number of submissions to the committee raised concerns about the media and privacy and, in particular, the current self-regulatory measures regarding the media industry. Therefore, whilst it was an area which the committee wanted to canvass in its report, again the committee recognised that any reform of the current system needed to be done on a national basis. [Rec 31]
The last, but by no means least important, of the committee’s recommen-dations is its final recommendation which is capable of standing alone from all of the committee’s other recommendations. Recommendation 32 is aimed at encouraging agencies, organisations and individuals — particularly those who draft policy and laws — to be more privacy aware. In other words, it seeks to bring about a cultural change which would obviously complement any structural change in privacy regulation in Queensland.
Recommendation 32 concerns a pre-legislative process which operates in Queensland and seeks to protect individuals’ rights and liberties. This process, set out in the Legislative Standards Act 1992 (Qld), requires that legislation must have sufficient regard to ‘fundamental legislative principles’. These principles are described as ‘principles relating to legislation that underlie a parliamentary democracy based on a rule of law’ and include requiring that legislation has sufficient regard to the ‘rights and liberties of individuals’.
A number of examples as to whether legislation has sufficient regard to the rights and liberties of individuals are listed in the Act. These include whether legislation:
While these examples are in no way an exhaustive statement of what the ‘rights and liberties of individuals’ may entail, they do provide an important reference point as to what rights and liberties legislation should have regard to. In this context the committee felt that privacy was a notable omission from the list of examples.
Thus, the committee recommended that the Legislative Standards Act be amended by the insertion of an additional privacy example. The adoption of the committee’s recommendation would mean that the drafters of Queensland’s legislation would have to ensure that legislation ‘does not allow for intrusion of the privacy of individuals (including information, communication, personal and territorial privacy) without adequate justification’. [Rec 32] v
Research Director of the Legal, Constitutional and Administrative Review Committee of the Qld Parliament.