Privacy Law and Policy Reporter
I would naturally wish to respond to Nigel Water’s critical comments on the commencement of the compliance provisions of the Privacy and Personal Information Protection Act 1998 (NSW) (see N Waters ‘The NSW Act: implementation marred by lack of consultation’ (2000) 7(1) PLPR 15). Nigel expresses concerns over the way exemptions from the information protection principles are being given, the limited flow of information about this process and a lack of consultation with organisations outside the public sector. There is some justice in these views. Transparency is an important feature of an effective information privacy regime. There is no point in publicly affirming a commitment to privacy and denying it in private, so that people have no way of knowing what rights they are entitled to expect. Any abridgement of people’s legislative privacy rights should be subject to the widest possible debate.
As Nigel notes, the Act has significant differences to the federal Privacy Act 1988. The privacy principles are somewhat more restrictive, especially in relation to public registers. The opportunities for modifying the principles are broader. Privacy codes of practice to modify the rigour of the information protection principles or the public register provisions can be made either by the Privacy Commissioner or by an agency, providing it consults with the Privacy Commissioner.
The NSW Commissioner is not as central to the role of enforcing compliance as the Federal Commissioner. Under Pt 5 any aggrieved party can initiate a review of conduct which allegedly breaches a principle, privacy code of practice or the public register provisions by lodging a complaint directly with the agency concerned. In the lead-up to implementation of the Act, agencies have tended to look to codes as a means of reducing their liability. Consequently we were faced with the prospect of a flood of last minute codes to be approved before 1 July. While I do not endorse this last minute haste, I accepted the responsibility to try to resolve outstanding fears about the onerous nature of the Act and process codes as quickly as possible.
Our advice to agencies on the preparation of codes emphasised the need for consultation with major stakeholders. However, most agencies who submitted codes do not appear to have allowed the necessary timeframe for consultation with their major client groups. Agencies are unlikely to have been aware of specific privacy interest groups, an oversight which I intend to correct.
A number of proposed codes contained provisions which were unnecessary but which agencies included to remove uncertainty over the scope of existing exemptions. Other codes sought exemptions which were so broad as to deny any effect to some of the principles. Under my brief to consult and make recommendations on codes, I challenged those provisions which I saw as overly vague or broad or for which there was inadequate justification. Some agencies were asked to go back and start again. For my criteria for assessing codes see <http://www.lawlink.nsw.gov.au/pc.nsf/pages/codeprotocol> [a copy follows this article].
Under s 41 of the Act I can make directions to exempt an agency from complying with a principle or principles. I have used this as a temporary measure to allow agencies to get it right. I fully recognise that some of these directions may seem very broad on a quick reading, but this should be recognised as a reflection of their function to preserve the status quo until a code can be finalised.
As a further step, I have decided to initiate a program to review existing codes over the next six months. This review will need to balance the need for certainty against inconsistencies and unnecessary exemptions.
I also recognise the need for consultation on those codes prepared by Privacy NSW. However, in the rush to put codes in place ahead of the 1 July start-up, my office has tended to concentrate on areas where special problems were anticipated. For example, local government was identified as having particular problems with the public register provisions and a great deal of effort has gone into anticipating and minimising their impact on councils. Research using agency records, including records of non-government organisations deposited with public sector agencies, also presented a major challenge for agencies. A draft research code was released in May and circulated to agencies and organisations representing researchers. The subsequent feedback justified a postponement of the final code to meet the concerns which were raised. I am also involved in a major consultation on electronic health records which will have some impact on the way the Act operates in the health area.
Codes prepared by my office to cover the investigative activities of agencies which are not covered by the exemptions for investigative agencies as defined in the Act, and a code dealing with exchanges of information between public sector agencies, have also presented a significant challenge in striking a balance between the spirit of the Act and the practical needs of agencies. It was originally hoped to have codes in place by the 1 July start date, but final versions have been postponed to allow a further round of consultation.
It would be easy to justify the mixed start for privacy legislation by referring to the limited resources of the Privacy Commissioner’s Office. The office has had to alert agencies to the legislation, attempt to resolve issues of interpretation, assist and provide training on the preparation of codes and management plans, while continuing to perform the advice and complaint handling functions it took over from the Privacy Committee, all without any significant increase in funding or resources. In this, however, we are arguably in the same position as many other data protection authorities as well as any other public sector agency attempting to deliver services which are not identified as a major government priority. I would like to think that a broader explanatory perspective is needed; one which recognises the profound cultural change in the public sector, of which the privacy legislation is a part.
Until recently, NSW public sector agencies have operated according to their own devices with much less public scrutiny than agencies in the federal sphere. Over the last decade, a proliferation of administrative review mechanisms, culminating in the creation of the Administrative Decisions Tribunal, has ushered in broadly uniform accountability standards. The Privacy and Personal Information Protection Act is part and parcel of this process. Agencies need the time to recognise that privacy is not simply a series of restrictive mechanisms; rather, it provides them with a framework for developing the trust and acceptance of their clients and customers which is essential to the modern business of government.
Chris Puplick, New South Wales Privacy Commissioner.