Privacy Law and Policy Reporter
Compiled by Graham Greenleaf
Victoria has joined NSW as the second State with information privacy legislation covering the State public sector. The Information Privacy Bill 2000 (see 7(2) PLPR 21 for analysis) passed the Legislative Council on 30 November. The Council had proposed amendments to make codes of practice disallowable instruments, but the Legislative Assembly opposed the amendments and rose without amending the Bill. The Council then extended its sitting days and decided not to pursue the amendments.
The Opposition had argued that there should be parliamentary scrutiny of variations to the standards set out in the principles, but the Government view was that this would delay codes and weaken the role of the Victorian Privacy Commissioner. The issue is not as important as it might be in other contexts, because the Victorian Bill requires that codes be ‘at least as stringent’ as the Infromation Privacy Principles (IPPs) (see 7(2) PLPR 24). There is therefore little need for Parliament to ensure that the Commis-sioner does not ‘water down’ the IPPs through weak codes, and if the Commissioner did attempt this then his or her actions could be attacked as ultra vires. The legislation is expected to come into effect from 1 September 2001, followed by a 12 month phase-in period. A Victorian Privacy Commissioner must also be appointed.
The Health Records Bill was introduced into the Legislative Assembly on 22 November and given a second reading, with debate held over until the 2001 sittings. The proposed legislation covers all health information held in the public and private sectors, and all personal information held by public and private sector health service providers (see the next issue of PLPR for a detailed assessment).
See <http://www.dms.dpc.vic.gov.au/pdocs/bills/B00596/B00596S.html> for the Information Privacy Bill 2000 as passed. (Information on passage provided by Lindy Smith of Privacy Management Pty Ltd).
In an attempt to blunt Senate amendments to the Privacy Amendment (Private Sector) Bill, the Federal Government announced on 29 November 2000 that it ‘will review existing Commonwealth. State and Territory laws, to consider the extent of privacy protection for employee records and whether there is a need for further measures’. One purported justification for the employee records exemption in the Bill, rejected by both the House and Senate Committees that examined it, was that existing laws provide adequate privacy protection to employees.
The review will be carried out by the same people who created the unjustifiable exemption, the Attorney-General’s Department and the Department of Employment, Workplace Relations and Small Business. There will be no independent review; the Privacy Commissioner will only be ‘consulted’. The review will only commence after the Bill is enacted and only need be completed by the time of the general two year review of the Act.
On 1 November 2000, the long-negotiated Safe Harbor agreement formally went into effect. Safe Harbor allows US companies to voluntarily subscribe to a set of principles and procedures for the handling of data originating in the European Union. The EU Data Protection Directive requires that an adequate level of privacy protection exist before any personal information can be transferred to a third country. The European Commission has agreed that any US company that subscribes to Safe Harbor should be deemed to be providing an adequate level of privacy protection for such data.
By early December 12 organisations had joined the list maintained by the US Department of Commerce at <http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list>. The Safe Harbor list and related materials are at <http://www.export.gov/safeharbor/>.
Source: EPIC Alert.