Privacy Law and Policy Reporter
Victoria will become the second Australian State, after NSW, to enact information privacy legislation covering the State’s public sector. The Information Privacy Bill 2000 was introduced and given its second reading speech on 26 May 2000 by John Brumby MP, the Labor Government’s Minister for State and Regional Development. The Bill is available at <http://www.dms.dpc.vic.gov.au/pdocs/bills/B00596>.
The Bill retains most of the features of the previous Liberal Government’s Data Protection Bill 1999, but has some significant differences. Due to these similarities, this article draws on and in many respects updates the analysis of the 1999 Victorian Bill in Greenleaf, ‘Victoria’s draft Data Protection Bill — the new model Bill?’ (1999) 5 PLPR 136 (see also Waters, ‘Victoria keeps up the pressure’ (1999) 5 PLPR 165).
The main difference is the Bill’s more limited scope: it only covers the public sector, whereas the Liberals’ 1999 Bill covered both public and private sectors. The Labor Government has decided that the private sector is to be left to Federal legislation.
The Bill can be summed up in a few propositions.
Victoria’s ‘2000 Bill’ is, like its predecessor, a model for genuine co-regulation, where codes of practice provide flexibility but both the IPPs and codes are equally enforceable with remedies equivalent to those in the Privacy Act 1988 (Cth). While there is still significant room for improvement, the Victorian Bill is still the best model for co-regulatory protection of privacy yet seen in Australia.
The Bill applies to all Victorian public sector agencies, local councils, bodies established or appointed for a public purpose, Ministers, Parliamentary Secretaries and MPs (but only in relation to information they receive in that capacity), and other bodies (cl 9(1)). Such bodies are ‘organisations’ under the Act (cl 3 definition). There is provision for the Governor-in-Council to declare by gazetted Order for other organisations to be covered (cl 9(2)(b)), and for some office holders and bodies created for public purposes to be exempted if they are more appropriately governed by another scheme (cl 9(2)(b) and (3)).
The legislation will come into effect when s 15 is proclaimed or on 1 September 2001, whichever is earlier (cl 2). There is a 12 month phase in period for the IPPs (cl 16(1)). The IPPs will apply to all information irrespective of when it is collected, except that IPP 1 (collection) and IPP 10 (sensitive information) will only apply from when s 15 is proclaimed (cl 15).
Organisations must comply with the IPPs set out in Sch 1 (cl 16), and failure to do so is an interference with privacy (cl 14). The IPPs are based on the Commonwealth Privacy Commissioner’s NPPs, and are in most respects the same as the NPPs in the Commonwealth Privacy Amendment (Private Sector) Bill 2000.
However, there are some significant differences between the IPPs and the NPPs, including the following.
A law enforcement agency (defined widely) is not required to comply with most of the IPPs if it ‘believes on reasonable grounds that the non-compliance is necessary’ for virtually anything to do with law enforcement (cl 13). The exemption is difficult to evaluate in the abstract. Law enforcement agencies are prima facie obliged to comply with all the IPPs, but can attempt to justify non-compliance in any particular instance. The VCAT and the courts could ultimately decide when such beliefs are reasonable.
It is arguable that such a belief would have to be formed in light of the circumstances of a particular instance, and could not be set down in advance as an agency policy that a particular IPP would not be complied with in certain circumstances. Similarly, it is not clear that a law enforcement agency could draw up a code which would clarify when it would and would not comply with particular IPPs. It would create greater certainty for both law enforcement agencies and for the public if such agencies were authorised and required by the Bill to draw up codes which clarified how the legislation applied to them, at least in the normal case. If the legislation is not going to clarify the situation, some later process of clarification is still needed.
The Bill does not allow an organisation to avoid its responsibilities by simply outsourcing aspects of its handling of personal information. If a state contract provides that the contracted service provider is bound by the IPPs or a code, then they will apply to the contracted service provider to the same extent as they apply to the outsourcing organisation (cl 17(2)). The outsourcing organisation also remains liable for any actions of the contracted service provider unless it can establish that the provision included such a provision in the state contract, and that it is ‘capable of being enforced’ against the contracted service provider. This is slightly less strict than under the 1999 Bill, where the outsourcing organisation also had to show that it ‘took reasonable precautions and exercised due diligence’ to avoid any breaches.
Like the NSW legislation in relation to the public sector, and the Commonwealth Bill in relation to the private sector, this Bill takes a co-regulatory approach by allowing approved codes of practice to supplant the legislation.
An organisation may seek approval of a code of practice by submitting the code to the Privacy Commissioner (cl 19(1)). If the Commissioner recommends its approval to the Governor-in-Council, the code is approved when gazetted (cl 19(2)). It does not seem that the Commissioner can draft or amend codes, but he or she could of course refuse to recommend them until they are appropriately amended. Before recommending approval, the Commissioner may consult others, and must take into account the opportunity for public comment (cl 19(4)). The Commissioner must keep a register of approved codes (cl 22).
Codes may be varied in the same manner as they are approved (cl 19), and can be revoked by a similar process on the application of an individual or organisation to the Privacy Commis-sioner, or on the Commissioner’s own initiative (cl 23).
The Commissioner must be satisfied that any proposed code (or variation) is consistent with the objects of the Act and that its standards are ‘at least as stringent’ as the IPPs (cl 19(3)). If a code contains requirements that are not otherwise found in an IPP, a breach of those requirements is deemed to be a breach of an IPP (cl 21). Codes can therefore extend the reach of the Act but cannot restrict it. These provisions are stronger than those in the 1999 Victorian Bill which only required that codes must ‘substantially achieve the privacy objectives of this Act’ and not be ‘contrary to the public interest’, and thus allowed codes to weaken the IPPs. In contrast to the Commonwealth legislation, there is no provision in the current Bill for anything equivalent to ‘Public Interest Determinations’ whereby an agency can put forward a case for some partial exemption from the Act on public interest grounds.
Codes may cover virtually any aspect of the Act, including both its substance — the IPPs, public registers and data matching — and its procedural aspects — complaint procedures, remedies and charges — (cl 18). Codes may apply to classes of information, organisations or activities, or an ‘industry, profession or calling’ (cl 18(3)).
However, codes cannot supplant the right of an individual to ‘appeal’ to the Privacy Commissioner and (ultimately) to the VCAT under Pt 5 if they are dissatisfied with how they have been dealt with under a code (cl 25(1)(c)) or alter the remedies available from the VCAT. The very great flexibility that codes provide is therefore tempered by both the standards that must be observed when they are made and the remedies that apply, irrespective of what ‘internal’ remedies the code may itself provide. It is a fair balance.
Individuals may make a complaint to the Privacy Commissioner about an interference with privacy if there is no approved code of practice applying (cl 25(2)(a)). They can also make a complaint if a code does apply and they have received either a response to a complaint from the code administrator which they consider to be inadequate or no response (cl 25(2)(b)). There are a variety of grounds on which the Commissioner can refuse to entertain a complaint (cl 29), but the complainant may then require the Commissioner to refer the complaint to the VCAT (cl 29(5)). The Minister may also refer complaints raising important public policies direct to the VCAT (cl 31).
The Privacy Commissioner must attempt to conciliate a complaint if he or she thinks that successful conciliation is reasonably possible (cl 33). If the parties reach agreement following conciliation, any party has 30 days following agreement to request that the agreement be put in writing, signed by all parties and certified by the Commissioner (cl 33). The agreement can then be registered with the VCAT, and on registration it becomes an order of the VCAT and its terms can be enforced accordingly (cl 33(5)). If the Commissioner decides it is not reasonably possible that a complaint will be conciliated successfully, the complainant can require it to be referred to the VCAT (cl 32).
The VCAT has powers to make a wide range of orders after it hears a complaint (cl 43), including orders:
These powers are substantially similar to those found in the Commonwealth Privacy Act 1988 and the NSW Privacy and Personal Data Protection Act 1998, except that the maximum amount of compensation is $40,000 in NSW and is not limited in the Commonwealth.
A hearing by the VCAT, and therefore these remedies, is ultimately available to any complainant, irrespective of whether they initially make a complaint to a code administrator (and then to the Commiss-ioner and then the VCAT); or whether their initial complaint is to the Commissioner because no code applies, and then to the VCAT because conciliation fails; or whether the Commissioner or the Minister refers the complaint direct to the VCAT. This is the great strength of this Bill: at the end of the day, all complainants have access to the same remedies, and to the same independent quasi-judicial appeals body.
The VCAT can also make interim orders, on the application of a complainant or the Commissioner, to prevent any party taking actions which would prejudice conciliation or any order the VCAT might subsequently make (cl 38).
If an organisation failed to comply with a VCAT order under cl 43 restraining the continuation of conduct which was the subject of a complaint, this would be contempt of the VCAT.
Criminal penalties can arise if the Commissioner considers that an organisation has breached the IPPs (or a code) and the breach ‘constitutes a serious or flagrant contravention’ (not defined further) or is not as serious but is repetitive (defined as ‘engaged in ... on at least five separate occasions within the previous two years’) (cl 44). The Commissioner can issue a ‘compliance notice’, either on his own initiative or on an application by a complainant (cl 44(5)), requiring the organisation to take specified steps to ensure future compliance (cl 44(2)). In such cases the Commissioner has wide powers of investigation (ss 36-38). It is an indictable offence for an organisation not to comply with a compliance notice (cl 48), and there is a right to seek a review of the Commissioner’s decision by the VCAT.
Other than this, a breach of the Act does not create any criminal liability (cl 7(2)).
The Bill takes a complex and sometimes confusing approach to public registers, but still represents an innovation in Australian privacy law.
Public sector agencies must administer public registers ‘so far as is reasonably practical’ by not contravening the IPPs in relation to them (cl 16(4)). This is a very general provision which takes the approach (originally put forward in the Australian Privacy Charter) that just because personal information is publicly accessible for some purposes does not mean it should be denied all privacy protection, but that the extent to which the IPPs are applicable will depend on the nature and extent of each register. For example, the protection provided by the IPPs dealing with collection, security and correction will often be applicable to public registers.
However, it does not seem that individuals could take action under the Act for a breach of an IPP in relation to a public register, because nothing in the Act or an IPP applies to a generally available publication (cl 11(1)), except for the obligation under cl 16(4) outlined above (cl 11(2)). Information held in public registers is included in the definition of ‘generally available publication’ (cl 3). Clause 11 would prevent any of the enforcement provisions of the Act applying to public registers. General principles of administrative law could still be used to force an agency or council to comply with their obligations under cl 16(4) to observe the IPPs ‘so far as is reasonably practical’ in relation to public registers, but complaints to the Commissioner, and remedies such as compensatory damages, will not be available. The 1999 Victorian Bill allowed the IPPs to be enforced in relation to public registers.
Compliance with a code of practice can satisfy an organisation’s obligation to apply the IPPs to public registers, and Pt 4 ‘has effect accordingly’ (cl 18(2)). Codes can therefore deal with public registers and it seems that a public register code could even provide complaints procedures and remedies for individuals, because those matters would still be dealt with under Pt 4 of the Act.
The definition of ‘public register’ (cl 3) is important because its effect is to limit the operation of the enforcement provisions of the Act. It means ‘a document held by a public sector agency or a Council and open to inspection by members of the public’ containing information that a person was required or permitted to give that agency under an Act. Where public access is due to the Public Records Act 1973 (Vic) the IPPs do not apply (cl 11), and the record is not even a public register.
There seems to be some confusion in the drafting of the definition of ‘public register’ and cl 16(4), based on an assumption that ‘personal information’ does not include ‘publicly available information’ whereas in fact it does (but cl 11 stops the IPPs applying).
‘Nothing in this Act ... gives rise to any civil cause of action; or ... operates to create in any person any legal right ...’ (cl 7(1)(a)). The 1999 Victorian Bill said ‘Nothing in this Act ... gives rise to, or can be taken into account in, any civil cause of action’, which is arguably a broader wording. Although, for example, a disclosure in breach of the Act would not in itself constitute a statutory tort, it might still be arguable that the existence of IPP 2 could be taken as indicating that ‘circumstances of confidence’ exist for the purposes of an action for breach of confidence. In addition, cl 7 might not apply to a code of practice (since it is not ‘in this Act’), but nor should it, since a code involves an organisation holding out what its practices will be.
The Bill provides for the appointment of a Privacy Commissioner by the Government (cl 50) for a term of up to seven years (re-appointable). The Commissioner can be suspended by the Governor-in-Council but can only be removed by resolution of both Houses of Parliament (cl 54).
The Commissioner has a range of functions similar to the Commonwealth and NSW Commissioners (cl 58). Powers which refer to ‘personal privacy’ mean ‘privacy of personal information’ (cl 3 definition), but quite a few of the Commissioner’s powers, including the power to make public statements, refer to ‘the privacy of an individual’ or ‘the privacy of any class of individual’, which is broad enough to cover non-informational aspects of privacy such as bodily intrusions.
The most important example is that the Privacy Commissioner will have an ‘ombudsman’ role of investigation and conciliation of complaints in relation to any acts or practices by public sector organisations which have an ‘adverse effect on the privacy of an individual’ but which fall outside the scope of the IPPs (cl 58(h)(ii)). This role is similar to that which has been exercised by the NSW Privacy Committee since 1975, and is now exercised by the new NSW Privacy Commissioner (though it applies there to the private sector as well). The Commonwealth Privacy Commissioner does not have this role in relation to ‘non-IPP’ complaints in the public sector, and will not have it in relation to ‘non-NPP’ complaints in the private sector. This ‘ombudsman’ role may still become an important and valuable element of ‘the Australian model’ now that it is being taken up by Victoria as well.
Graham Greenleaf, General Editor.