Privacy Law and Policy Reporter
The Victorian Government’s draft Data Protection Bill, released in December 1998 with an accompanying Discussion Paper, has many elements which may provide the model for information privacy protection in Australia, both at State and Federal levels (Data Protection Bill Discussion Paper, December 1998, Multimedia Victoria, December 1998 — available at http://www.mmv.vic.gov.au under ‘publications’). Submissions were called for by 12 February.
The draft Bill removes many of the uncertainties about the Victorian Government’s original proposals (see for example ‘Will Stockdale break the privacy impasse?’ (1998) 5 PLPR 21), and generally does so by clarifying that strong privacy protection is intended. The government has responded to many of the submissions it received.
The proposed legislation can be summed up in a few propositions:
Victoria has delivered a model for genuine co-regulation, where codes of practice provide flexibility but both the IPPs and codes are equally enforceable with remedies equivalent to those in the Commonwealth Privacy Act 1988. While there is still room for improvement on the Victorian model, it sets the standard around which the debate over information privacy protection in Australia should be conducted.
Organisations must comply with the IPPs (s 11(1)). The IPPs, set out in Schedule 1 (s 9), are based closely on the Commonwealth Privacy Commissioner’s ‘National Privacy Principles’, as revised in January 1999 (see http://www.privacy.gov.au or the next issue of PLPR for the text). Schedule 1 is essentially a conversion of the Commissioner’s Principles into statutory language (such as converting ‘should’ into ‘must’). However, there are some modifications.
In an effort to obtain national uniformity the Victorian Bill is therefore based on a set of Principles which are not the product of consensus, are more a product of horse-trading than considered reform, and which have been criticised very strongly by privacy and consumer organisations (see (1998) 5 PLPR 41 for details), although welcomed by participating business organisations. The final view of privacy and consumer organisations on the Commissioner’s revised Principles will be included in the next issue of PLPR, and more general critiques in issues to follow.
The Victorian government should reach its own view on what privacy principles are in the public interest, and set the standard for Australia, while seeking as much uniformity with other jurisdictions as can be achieved. As a minimum, it should provide for a review of the IPPs by the Privacy Commissioner after three years.
IPP 9 follows the Commissioner’s revised Principles in expanding the scope of the data export restriction so that it now applies to disclosures ‘to a third party’, not just those ‘outside Australia’. This is significant in that it now restricts data transfers to other States and Territories, not just to overseas jurisdictions, as it needs to do if it is not to be regarded as a non-tariff trade barrier. The data export restriction in the new NSW Act also applies to exports to other States and Territories (see article this issue).
IPP 9 needs to be clarified to ensure that it does apply to a transfer of information within an organisation, but from Victoria to another jurisdiction, without sufficient privacy protection. As the Commissioner’s Guidance Note now says, it was intended that ‘This principle would prevent an organisation from disclosing personal information to any recipient that is not subject to a comparable information privacy scheme, whether the recipient is located within or outside Australia’. The problem with the Victorian statutory formulation is that it is not supported, for purposes of interpretation, by the Commissioner’s Guidance Notes. The Bill therefore needs to clarify that, for IPP 11, ‘a third party’ includes a part of the same organisation which is located outside Victoria.
An additional clause 9.2 has been added to the Commissioner’s Principles, providing that an organisation will be deemed to comply with its obligation to take ‘reasonable steps’ to provide protection in data exports if there is a contract between the supplier and recipient of the data which adopts the model terms for such agreements published by the Privacy Commissioner. This is a very undesirable and unnecessary exception, because, depending on the particular transfer (such as the jurisdiction where the data is being transferred to), such a contract may provide no protection, or may not provide the best protection available. It is unnecessary to provide that such contracts will always be sufficient, and to do so reduces the likelihood that IPP 9 will satisfy the European Union’s requirements for adequate protection against onward transfers.
The Bill does not allow an organisation to avoid its responsibilities simply by outsourcing aspects of its handling of personal information. The outsourcing organisation will be deemed liable for any actions of the contracted service provider unless it can establish that it ‘took reasonable precautions and exercised due diligence’ to avoid any breaches (s 12(3)). The IPPs and codes also apply to any contracted service provider to the same extent as they apply to the outsourcing organisation (s 12(2)), which could lead to some interesting jurisdictional extensions of the Act.
The Bill provides for relatively few exceptions to its operation, including:
Some of these exceptions may be unnecessarily broad, and this will be covered in a subsequent article in PLPR, but they are not extensive compared with those in the NSW Act. Whether the range of exceptions will remain as limited in the course of passage of the Bill will be one of the main determinants of its acceptability as a model.
An organisation may seek approval of a code of practice by submitting the code to the Privacy Commissioner (s 14(1)). If the Commissioner recommends its approval to the Governor in Council, the code is approved when gazetted (s 14(2)). It does not seem that the Commissioner can draft or amend codes, but could of course refuse to recommend them until they are appropriately amended. The Commissioner must keep a register of approved codes (s 16).
Codes may be varied in the same manner as they are approved (s 14), and can be revoked by a similar process on the application of an individual or organisation to the Privacy Commissioner, or on the Commissioner’s own initiative (s 17).
The Commissioner must be satisfied that any proposed code (or variation) meets two standards: (i) it must ‘substantially achieve the privacy objectives of this Act in relation to the personal information to which the code applies’, and (ii) the approval must not be ‘contrary to the public interest’ (s 14(3)). Before recommending approval, the Commissioner must also consult the Federal Privacy Commissioner, may consult others, and must allow adequate opportunity for public comment (s 14(4)).
Codes may cover virtually any aspect of the Act, including both its substance (the IPPs, public registers and data matching), and its procedural aspects (complaint procedures, remedies and charges) (s 13). However, codes cannot supplant the right of an individual to ‘appeal’ to the Privacy Commissioner and the Tribunal under Pt 4 if they are dissatisfied with how they have been dealt with under a code, and cannot alter the remedies available from the Tribunal. The very great flexibility that codes provide is therefore tempered by both the standards that must be observed when they are made, and the remedies that apply irrespective of what ‘internal’ remedies the code may itself provide. It is a fair balance.
A code may modify ‘any one or more’ of the IPPs, by prescribing standards that are more or less stringent than the IPPs, or even by exempting the application of an IPP (subject to the standards the Commissioner must apply) (s 13(2)). Codes may apply to classes of information, organisations or activities, or an ‘industry, profession or calling’ (s 13(3)).
If a code contains requirements that are not otherwise found in an IPP, a breach of those requirements is deemed to be a breach of an IPP (s 15(b)). Codes can therefore extend the reach of the Act at least as easily as they can restrict it.
An approved code is intended to supplant the Act only to the extent that it specifies (Discussion Paper). The wording of s 15, taken on its own, could mean that any code, no matter how few IPPs it covers, would supplant all of the IPPs. However, since s 13(2) specifies that a code may modify ‘any one or more’ IPPs, it is clear that codes may supplant only part of the IPPs and the IPPs and other aspects of the Act will continue to operate to any extent that a code does not deal with them. This allowance for ‘partial codes’ is very desirable, but will sometimes lead to some difficult questions of interpretation if a code does not state precisely which provisions of the Act it is intended to supplant. The Commissioner can avoid these problems by careful checking of codes.
Individuals may make a complaint to the Privacy Commissioner under Pt 4 about an interference with privacy if there is no approved code of practice applying (s 18(2)(a)). They can also make a complaint if a code does apply and they have received a response to a complaint from the code administrator which they consider to be inadequate, or no response (s 18(2)(b)). There are a variety of grounds on which the Commissioner can refuse to entertain a complaint (s 20), but the complainant may then require the Commissioner to refer the complaint to the Tribunal (s 20(6)). The Minister may also refer complaints raising important public policies direct to the Tribunal (s 22(1)).
The Privacy Commissioner must attempt to conciliate a complaint if he or she thinks that successful conciliation is reasonably possible (s 24). If the parties reach agreement following conciliation, any party has 30 days following agreement to request that the agreement be put in writing and signed by all parties and certified by the Commissioner (s 27). The agreement can then be registered with the Tribunal, and on registration it becomes an order of the Tribunal and its terms can be enforced accordingly (s 27(5)). If the Commissioner decides it is not reasonably possible that a complaint will be conciliated successfully, the complainant can require it to be referred to the Tribunal (s 28).
The Victorian Civil and Administrative Tribunal (VCAT) has powers to make a wide range of orders after it hears a complaint (s 34), including:
These powers are substantially similar to those found in the Commonwealth Privacy Act 1988 and the NSW Privacy and Personal Data Protection Act 1998, except that the maximum amount of compensation is $40,000 in NSW and not limited in the Commonwealth.
A hearing by the VCAT, and these remedies, are ultimately available to any complainant, irrespective of whether they initially make a complaint to a code administrator (and then to the Commissioner and then the VCAT); or whether their initial complaint is to the Commissioner because no code applies, and then to the VCAT because conciliation fails; or whether because the Commissioner or the Minister refers the complaint direct to the VCAT. This is the strength of the Bill: at the end of the day, all complainants have access to the same remedies.
The VCAT can also make interim orders, on the application of a complainant or the Commissioner, to prevent any party taking actions which would prejudice conciliation or any order the VCAT might subsequently make (s 30).
If an organisation failed to comply with a Tribunal order under s 34 restraining the continuation of conduct which was the subject of a complaint, this would be contempt of the VCAT.
Criminal penalties can arise if the Commissioner considers that an organisation has breached the IPPs (or a code) and the breach ‘constitutes a serious or flagrant contravention’ (not defined further) or is not so serious but is repetitive (defined as ‘engaged in ... on at least five separate occasions within the previous two years’) (s 35). The Commissioner can issue a ‘compliance notice’ either on his own initiative or on an application by a complainant (s 35(3)). In such cases the Commissioner has wide powers of investigation (ss 36-38). It is an indictable offence for an organisation not to comply with a compliance notice (s 39), and there is a right to seek a review of the Commissioner’s decision by the VCAT.
Other than this, a breach of the Act does not create any criminal liability (s 6(2)).
‘Nothing in this Act ... gives rise to, or can be taken into account in, any civil cause of action’ (s 6(1)(a)). So, for example, a disclosure in breach of the Act would not in itself constitute a statutory tort, nor could IPP 2 be taken as constituting ‘circumstances of confidence’ for the purposes of an action for breach of confidence. However, this provision might not apply to a code of practice (since it is not ‘in this Act’), but nor should it, since a code involves an organisation holding out what its practices will be.
In relation to any interferences with privacy which fall outside the scope of the IPPs, the Privacy Commissioner will have an ‘ombudsman’ role of investigation and conciliation (s 49(g)). This role is equivalent to that which has been exercised by the NSW Privacy Committee since 1975, and is now exercised by the new NSW Privacy Commissioner. In Australia’s two largest jurisdictions, it will therefore be possible to seek investigation and conciliation of any privacy issue. This may become an important and valuable element of ‘the Australian model’.
The Bill takes a complex approach to public registers (defined in s 3). Public sector agencies must administer public registers so far as is reasonably practical by observing the IPPs in relation to them (and as if they contained personal information) (s 11(3)). Codes of practice can apply to public registers (s 13(5)). Insofar as they apply to public registers, IPPs and codes cannot be the subject of a complaint under Pt 4 because the information in a public register is not ‘personal information’ (s 18(1) and s 3 definition of ‘personal information’). However, public registers can be the subject of complaints to the Commissioner as ‘ombudsman’ under s 49(g). The main difference is that the remedies which the Tribunal can award are not available in relation to public registers. However, the Commissioner can issue Pt 5 compliance notices in relation to public registers.
The Victorian Government has produced a well-balanced privacy Bill which should be enacted as quickly as possible. The Discussion Paper says that it scheduled for introduction and passage in the Autumn 1999 Parliamentary sittings. It can apply immediately to Victoria’s public sector agencies. The Victorian Government should stick to its promise to apply the legislation to the private sector if the Commonwealth fails to act, and it should do so if the Commonwealth takes an approach that falls unacceptably short of Victoria’s benchmark. A deadline of 1 January 2000 would be a suitable date for Victoria’s legislation to have full force, and quite sufficient time for the Commonwealth to act.
Graham Greenleaf, General Editor.