Privacy Law and Policy Reporter
Under s 31(2) of the Privacy and Personal Information Protection Act 1998 (NSW), public sector agencies must consult with the Privacy Commissioner on draft privacy codes of practice before they are submitted to the Attorney General for approval. The Privacy Commissioner assesses draft codes and then makes a submission to the Attorney General, who considers the submission. The Privacy Commissioner has issued the following protocol for approval of codes. The protocol and related documents can be found on the Privacy NSW website at <http://www.lawlink.nsw.gov.au/pc.nsf/pages/index> — General Editor.
Privacy New South Wales,11 May.
Public sector agencies may submit draft privacy codes of practice to the Privacy Commissioner for the purpose of modifying the application of the information protection principles or the public register provisions in Pt 6 of the Act, to the agency. The Privacy Commissioner has the responsibility of making recommendations to the Attorney General on whether a code should be made by him.
The stated intention of the Privacy and Personal Information Protection Act is to provide for the protection of personal information and protection of the privacy of individuals generally. The Act confers privacy rights on and recognises expectations of individuals in a way which furthers the aims of international conventions to which Australia is a party. In assessing and making recommen-dations, the Privacy Commissioner has a responsibility to give effect to the intention of the Act and minimise the potential of codes to lessen these rights and expectations.
The validity of a privacy code of practice depends on a number of conditions specified in the Act. Codes are to be made to protect privacy. They must provide standards of privacy protection which operate to protect public sector agencies from any restrictions in relation to the importation of personal information into New South Wales. They are not to impose higher standards on agencies than those set out in the information protection principles contained in the Act.
In reviewing draft privacy codes of practice and making submissions to the Attorney General as to whether or not to approve a draft code, the Privacy Commissioner will have regard to the following matters.
1. Does the code:
(a) modify the application of any one or more of the information protection principles to any public sector agency?
(b) modify the application of the provisions of Pt 6 of the Act to any public sector agency?
(c) specify the manner in which any one or more of the information protection principles are to be applied to, or are to be followed by, the public sector agency?
(d) exempt a public sector agency, or class of public sector agency, from the requirement to comply with any information protection principle?
(e) clearly indicate the extent of any such modification, specification or exemption?
(a) Does the code clearly identify:
(i) the class of personal information;
(ii) the public sector agency or class of agencies; or
(iii) the activity or class of activities in relation to which the code purports to modify the information protection principles?
(b) Is the class of information, agencies or activities more widely defined than is necessary to achieve the intention of the code or code provision?
3. Is the code consistent with the stated purpose of the Act?
(a) Is it made for the purpose of protecting the privacy of individuals?
(b) Do the information protection principles, as modified by each of the provisions of the code, on balance still protect privacy?
As a general principle the privacy interests of individuals are best secured through consistent adherence to the principles by all agencies. A multiplicity of exceptions will make it difficult for individuals to have consistent expectations and to exercise their rights under the Act.
In assessing how a proposed modification of a principle affects privacy, the principles should be viewed as contributing individually to an overall result rather than in isolation. For example, removing the requirement to collect information directly from the individual under the second principle might not affect the individual’s privacy as long as the individual was notified of the collection under the third principle. However, because the third principle applies only to information collected from an individual, such a trade-off would need to be carefully worded to avoid imposing a higher standard on the agency.
(c) Does the code maintain standards of privacy protection which will operate to protect public sector agencies from any restrictions in relation to the importation of personal information into NSW?
Privacy legislation passed or proposed in other jurisdictions (most notably the European Union) requires that external transfers of personal information should only be made where there is an adequate or comparable level of protection in the receiving jurisdiction.
At this stage it is not clear how the adequacy of the provisions of the Privacy and Personal Information Protection Act or a code are to be assessed in accordance with the standards of other relevant jurisdictions.
The Privacy Commissioner therefore proposes to interpret this limitation on the contents of codes in a flexible manner, taking into account:
(i) whether the agency or agencies proposing the code customarily shares personal information with other jurisdictions; and
(ii) any privacy legislation in jurisdictions which share data with the agency or agencies proposing a code.
Where a provision of a code authorises the sharing of personal information with agencies or bodies in another jurisdiction, other matters to be considered will include:
(i) policies on privacy protection for the public sector or relevant public sector agencies in these jurisdictions;
(ii) any relevant privacy protection or complaint investigation bodies in relevant jurisdictions;
(iii) whether the proposed disclosure is to a public sector or private sector body;
(iv) the ability to enforce contractual undertakings which the New South Wales agency may impose on a transfer;
(v) the public interest in giving effect to proposed transfers, (for example in the sharing of information between revenue agencies to minimise avoidance or the sharing of information between law enforcement agencies);
(vi) whether proposed transfers would be more appropriately covered by the code of practice which the Privacy Commissioner is to make under s 19(4).
4. Does the code impose on any public sector agency requirements that are more stringent (or of a higher standard) than the information protection principles?
Codes or code provisions which impose higher or more stringent standards on agencies risk invalidity under s 29(7)(b). This provision does not prevent an agency from imposing more stringent conditions on persons or bodies which are not public sector agencies. Nor does it prevent a public sector agency which is bound by other obligations in relation to personal information (for example, legal obligations of confidentiality or statutory confidentiality provisions) from prescribing higher standards in an applicable document which is not a privacy code of practice within the meaning of the Act.
5. Do any provisions of the code purport to modify an applicable exemption?
Under s 29(6) such a provision in a code is invalid. Agencies submitting draft codes which include departures from the principles which are already covered by an exemption will be encouraged to remove them.
6. Does the code substantially affect privacy or other interests of an identifiable group of people, if so:
(a) is the code discriminatory?
(b) has there been appropriate consultation?
In some circumstances the Privacy Commissioner may recommend that a code proceed subject to a sunset clause to allow fuller consultation before a final code is made.
7. Will the provisions sought to be modified or exempted by the code create a precedent for other public sector agencies?
The Privacy Commissioner’s recommendations will seek to promote the consistent and uniform effects of code provisions. If an exception for a class of information or activity is made for one agency it may be difficult to argue against the same exception applying to all agencies. The Commissioner will therefore have regard to the potential precedent effects of any exemption sought by an agency.
8. Are the alterations to the information protection principles clearly expressed and readily understandable?
Codes should be readily accessible to individual clients, customers and employees who have rights under the Act. They should avoid legal technicality and ambiguity or uncertainty as to how the information protection principles are modified.
9. Has the agency provided a business case which justifies the making of a code?
10. What are the genuine difficulties the agency has in complying with the existing principles?
Are there alternative solutions available to the agency which would avoid the need for a code? As a general principle the Privacy Commissioner would prefer agencies to adopt practices which allow them to comply with the information protection principles.
11. Is the making of the code in the public interest?
Overall, do the benefits of making a particular code outweigh the public interest in having a consistent and standardised privacy regime?
12. In assessing a privacy code of practice which seeks to modify the public register provisions, the following issues will be considered in addition to those matters already covered in this protocol.
(a) The purpose of the register or the legislation setting up the register.
(b) The nature of the information contained on the register.
(c) The steps proposed to be taken by the agency to establish the purpose for which access to the register is being given.
(d) Other matters which may render compliance with the public register provisions unreasonable or onerous, including:
(i) the public interest in maintaining relatively unrestricted access to a given register;
(ii) the form in which public access is given to the register (for example access to a folio or screen or the issue of a certificate);
(iii) the means of establishing reasons for accessing a particular register; and whether the steps reasonably necessary for an agency to satisfy itself that the proposed use of personal information are consistent with the purpose of the register or would unreasonably restrict public access to the register;
(iv) whether proposed uses would or would not otherwise unreasonably interfere with personal privacy;
(v) the difficulty of complying with the test in s 58(2) when dealing with an application to suppress information;
(vi) the practical difficulty in excluding information subject to an application for suppression, having regard to the manner in which the register is made available to the public;
(vii) the practicality of giving individuals the option to consent to their personal information being made available from the register.
(e) The possibility of meeting the public register provisions in part but modifying them in relation to more limited classes of sensitive information on a register.
Chris Puplick, Privacy Commissioner. See also Privacy New South Wales, A Guide to Making Privacy Codes of Practice No 3 1999.