Privacy Law and Policy Reporter
This article by the NSW Deputy Privacy Commissioner summarises the experience of Privacy NSW in administering the first two years of the Privacy and Personal Information Protection Act 1998 (NSW) during which it has been possible for the public to make complaints — General Editor.
The Privacy and Personal Information Protection Act 1998 (NSW)(PPIP Act) commenced in stages, but the most relevant date for the purposes of reviewing the operation of the Act is 1 July 2000. As of 1 July 2000, NSW public sector agencies:
The right to Internal Review and subsequent review by the Administrative Decisions Tribunal (ADT) of any decision or conduct by a public sector agency which allegedly breached the IPPs, public register provisions or a Privacy Code of Practice therefore also arises in relation to conduct or decisions made since 1 July 2000, although the ability of the ADT to award compensation only dates from ,1 July 2001.
This article reviews the first two years of operation of the PPIP Act with respect to public sector agencies’ compliance, from July 2000 to June 2002, as well as the changing nature of the work done by Privacy NSW during that time.
From the point of view of Privacy NSW, the most common mistakes made by public sector agencies in their implementation of the PPIP Act are:
In terms of internal reviews in particular, I am concerned by the number of internal review ‘findings’ which do not actually refer to the IPPs, and/or do not notify the applicant of their right to appeal to the ADT. Applicants only have ,28 days in which to lodge their appeal, and much effort has been expended by ,this Office in persuading agencies to effectively ‘re-issue’ their findings with the proper notification, so as to trigger a fresh 28 day period and thus allow the applicant to assert their legal rights.
The June 2002 newsletter for Privacy Contact Officers contains detailed advice on an internal review.
Another issue for public sector agencies is an ongoing one: the long wait for a number of sector wide Privacy Codes of Practice. The three major draft Codes, which have been subject to much consultation over the past two years, are with respect to research, investigations and inter-agency transfers. As they are sector wide, rather than agency specific, the consultation process has been taken over by the Cabinet Office.
While waiting for the Codes to be finalised by the Attorney General, the Privacy Commissioner has made a number of s 41 Directions. However the Commissioner has taken the view that ,s 41 Directions ought to be temporary in nature, allowing a flexible approach to compliance with the IPPs or the public register provisions in the PPIP Act only while the more comprehensive Privacy Codes of Practice are being developed.
The Privacy Commissioner has expressed his concern at the length of time taken to finalise the replacement Codes. The reliance upon these particular s 41 Directions for the past two years has highlighted a number ,of difficulties with respect to their interpretation and application. For that reason, in June 2002 the Commissioner issued fresh s 41 Directions, covering the same topics, which more clearly addressed these concerns. Most of the minor alterations were to clarify that the conduct authorised by those Directions (which would otherwise breach the IPPs or the public register provisions in the PPIP Act) must be reasonably necessary in the first place. As before, however, these Directions are only intended as ,a ‘stopgap’ measure until the more comprehensive Codes are finalised by the Attorney General. Available online are the s 41 Directions and a list of the 11 Codes already made by the Attorney General (most of which are agency specific).
Two issues are emerging as challenges for public sector agencies in their compliance with the IPPs: the pressure to provide ‘good news’ stories and other information to the media and the risk of ‘constructive’ identification.
A number of agencies have also sought the advice of Privacy NSW with respect to publishing photographs of their clients, such as in brochures, on websites and to the media, to illustrate their services in a positive way. Examples include educational, cultural, sporting, recreational and other leisure activities. This issue is particularly sensitive when the clients are children or other vulnerable individuals, as the appropriate manner of gaining consent can be difficult to resolve. Privacy NSW has therefore commenced a project with the Commission for Children and Young People to develop some guidelines on protecting children’s privacy under the PPIP Act.
This issue can overlap with the second issue — constructive identification. Constructive identification may occur, for example, in the publication of non-identifying statistical data, which may nevertheless be aggregated with other data to effectively re-identify some individuals. However, it can also be the result of disclosing or publishing details of one individual without naming them, but with enough background information or within a context that makes the individual ‘readily identifiable’ to members of his or her community. This was the case in the matter investigated by the Privacy Commissioner and subsequently reported on in his second Special Report, Student A and the Minister ,for Education. Privacy NSW is also working on guidelines for agencies on how to avoid constructive identification that would breach the IPPs.
The primary complaints resolution mechanism under the Act is internal review, which allows further ‘external’ review by the ADT. However, this mechanism only relates to the conduct of public sector agencies, only to conduct which breaches the IPPs or public register provisions of the PPIP Act, and only to conduct since 1 July 2000.
Privacy NSW took over the functions of the Privacy Committee and retained the Committee’s broad complaints and investigation function, not limited to public sector respondents or even to ‘information privacy’ complaints. However, the Privacy Commissioner can only seek to conciliate complaints and, unlike the internal review mechanism, there is no ability for a complainant ,to seek further review by the ADT.
Complaints may therefore be made ,to the NSW Privacy Commissioner under s 45 of the PPIP Act about any respondent, so long as the complaint ,is about an alleged ‘violation or interference with’ the complainant’s privacy. This includes matters which could also be the subject of an internal review under the PPIP Act, as well as complaints which may be characterised as about ‘physical’ privacy rather than ‘information’ privacy.
As a matter of policy and practice however, Privacy NSW does not accept complaints against Federal or other State/Territory government agencies. Furthermore, since 21 December 2001 there has been privacy regulation for some private sector organisations under the Privacy Act 1988 (Cth), and these matters are of course more appropriately dealt with by the Office of the Federal Privacy Commissioner.
However, Privacy NSW is continuing to deal with complaints against the private sector which cannot be dealt with under the Commonwealth laws — for example where the respondent is a small business, or the complaint is about employment records (which are exempt under the Privacy Act) or physical privacy.
Privacy NSW has recently updated its Complaints Protocol to clarify how the Commissioner will be guided in his decision-making as to whether or not a complainant’s privacy has been violated or interfered with. The standards applied will differ according to ,whether or not the respondent is ,bound already by the IPPs, and ,whether or not the complaint is ,about physical privacy rather than information privacy.
The Complaints Protocol also clarifies the circumstances in which the Privacy Commissioner will agree to deal with a complaint notwithstanding that it could be, or has been, the subject of a request for internal review.
Therefore the s 45 complaints dealt with by the Privacy Commissioner in the past two years relate to both public and private sector respondents, both information and physical privacy, and conduct which occurred both before ,and after 1 July 2000.
Of the 76 complaints finalised in 2000-01 and the 235 finalised in ,2001-02, 43 per cent were against ,public sector agency respondents.
The ‘top’ three or four respondent agencies in 2000-01, in order of frequency, were NSW Police, NSW Health (including the Area Health Services) and the Department of Education & Training. The following year, in order of frequency, they were the Department of Education & Training, NSW Police, the Attorney General’s Department and NSW Health (including the Area Health Services). The local government sector represented ,12 per cent of public sector complaints in 2000-01, but 18 per cent the following year.
The most common relationship of ,the complainant to the public sector respondent in 2000-01 were: employee, a person regulated by the respondent, client/customer/patient, student (State agencies only) or resident/ratepayer (local government only) of the respondent. In 2001-02 this changed slightly, in order of frequency, to: client/customer/patient, employee, student, resident/ratepayer and a ,person regulated by the respondent.
Of the private sector respondents, the most common sectors in 2000-01 were the media, retail, banking and real estate sectors. In 2001-02 they were the not-for-profits, retail, banking, real estate, insurance and telecom/utility sectors. The three most frequent ways in which the relationship of the complainant to the private sector respondent were described, across both years, were client/customer/patient of the respondent, the subject of the respondent’s unsolicited attention ,or employee of the respondent.
The most common types of information or practices at issue in 2000-01, in order of frequency, were personal contact details, surveillance ,and physical privacy, direct marketing, medical/health information, employment records, credit/financial/tax information and criminal histories. In 2001-02 ,they were personal contact details, credit/financial/tax information, surveillance and physical privacy, medical/health information, direct marketing, criminal histories and employment records.
Across both years and all sectors, the most common privacy ‘principles’ (in their broadest sense) complained of ,were disclosure, collection and physical privacy.
Of the 311 complaints finalised across the two years, 84 (27 per cent) were resolved to the Commissioner’s or the complainant’s satisfaction. A further ,36 were investigated but either no breach was found (26, or 8 per cent) or the matter was not able to be resolved (10, or 3 per cent).
Another 50 complaints (16 per cent) were discontinued, usually as a result ,of the complainant withdrawing or not making further contact with Privacy NSW. Privacy NSW was unable to deal with 19 complaints (6 per cent), for example because they did not raise issues of privacy or were not in NSW. Another 24 matters (8 per cent) were declined under s 46, and the remainder were referred either to internal review (24, or 8 per cent), the Office of the Federal Privacy Commissioner (46, or 15 per cent), or to another complaints body (24, or 8 per cent).
The Privacy Commissioner has no power to make binding orders on respondents. Complaints made under ,s 45 can only be conciliated. While investigation reports may be issued to the parties under s 50 of the PPIP Act, the ultimate sanction in the Privacy Commissioner’s armory is to make a special report to Parliament under s 65 ‘on any matter arising in connection with the discharge of his or her functions’. To date only two special reports have been made.
The first special report to Parliament was Complaint by Ms Carol Atkins against Queanbeyan City Council. It was issued following an investigation into a complaint by Ms Carol Atkins. An investigation report was issued to ,the respondent council, recommending certain action be taken by the general manager and the mayor, including issuing Ms Atkins with a written apology for the violations of her privacy. Both the general manager ,and the mayor refused to act on the Commissioner’s recommendation that they apologise to Ms Atkins. On ,17 September 2001 the Commissioner therefore made a special report to Parliament on the matter.
The second special report, tabled ,on 7 May 2002, was a report on the investigation of a complaint from a student and his family, against the ,then Minister for Education and two ministerial staff. The report raises a number of issues for agencies, including the adequacy of staff training in their responsibilities under the PPIP Act, as well as the possibility of ‘constructively’ identifying a person without naming them.
Only three internal review matters were finalised during 2000-01, but 39 were finalised the following year. The following figures, therefore, cover the 42 matters across both years.
The highest number of internal reviews were conducted by the Roads and Traffic Authority (29 per cent), the Department of Education & Training (21 per cent) and NSW Health (including the Area Health Services) ,(10 per cent). Seven matters (17 per cent) were conducted by local councils.
The most frequent relationships ,(of the complainant to the respondent) were client/customer (48 per cent), employee (21 per cent), resident/ ratepayer (12 per cent) and student ,(7 per cent) of the respondent. The ,most common types of information or practice at issue were personal contact details (31 per cent), medical/health records (19 per cent), criminal histories (14 per cent), employment records ,(12 per cent) and local government/,land title records (7 per cent).
In terms of outcomes, a breach of the IPPs and/or public register provisions of the Act was found in 12 cases (29 per cent). The remedies offered in these matters included an apology (10 cases), rectification (three cases) and financial compensation (one case). In five cases the internal review resulted in a change in practices in the agency, and in five cases retraining of staff was also promised as a result.
In 20 internal reviews no breach was found, either as a result of the decision or conduct not occurring (12 cases), or the decision or conduct being subject to an exemption under the PPIP Act, a Privacy Code of Practice or a s 41 Direction (eight cases).
The remaining 10 matters were not actually the subject of any review by the agency, as they were withdrawn by the applicant (five cases), not subject to the Act because they pre-dated 1 July 2000 (three cases) or declined as out of time (two cases).
At the time of writing, two matters have been finalised and a third has had an interlocutory judgment in the ADT. To date no case has reached the point of actually reviewing an agency’s conduct with respect to the IPPs or public register provisions. The following cases therefore raise matters of jurisdictional importance, but do ,not yet provide a guide to the likely reasoning of the ADT when it comes ,to measuring an agency’s conduct ,as against its obligations under ,the Act.
In September 2001, the first case to go to the ADT under the PPIP Act was decided by Tribunal president, Judge Kevin O’Connor Y v Director General, Department of Education & Training. This case is of interest to all public sector agencies, both as employers and as the potential subject of applications for internal review.
This first case decided a number of jurisdictional questions, the foremost of which is the vexed issue of ‘out of time’ requests for internal review. President O’Connor found that the ADT had no jurisdiction to review the decision of ,an agency to reject an application for internal review made ‘out of time’ — that is, more than six months after the applicant first became aware of the conduct which is the subject of the application.
However President O’Connor also sounded a warning to agencies — in considering whether applications for internal review had to be described by the applicant as such, he found that ‘express reference’ to the particular statute under which the application for review is not essential, especially where the context suggests that a statutory right is being invoked. However where the applicant is represented by an informed agent, such as a union or solicitor, ‘it is reasonable for an agency ordinarily to expect to find direct reference to any statutory right that ,is being invoked’.
The case of Y v DET was primarily about the exemption in s 4(3)(j) from the definition of ‘personal information’: ‘information or an opinion about an individual’s suitability for appointment or employment as a public sector official.’ President O’Connor found that such information need ,not be limited to selection, promotion, disciplinary or involuntary retirement processes. It could also include management reviews of work practices, work arrangements and performance.
The wide scope of the s 4(3)(j) exemption — which was added to the PPIP Bill only as it progressed through Parliament — is of concern to Privacy NSW. By excluding ‘information or an opinion about an individual’s suitability for appointment or employment as a public sector official’ from the definition of ‘personal information’ in the first place, not only is such information not afforded the protection of the IPPs, ,but the ‘corrupt disclosure’ criminal sanctions in ss 62-63 of the PPIP Act also do not apply to such information. While Privacy NSW recognises the importance of frank referee reports in the job selection process for example, the effect of s 4(3)(j) goes well beyond simply allowing smooth recruitment practices. The Privacy Commissioner has therefore requested the Attorney General to put a bill to Parliament to ameliorate this situation as soon as possible.
The case of BQ v Commissioner ,of Police, New South Wales Police Service, was decided in the ADT on 26 April 2002 by Judicial Member ,A Britton.
It has been summarised in an earlier edition of this bulletin, but it is worth noting that, like Y v DET, the case turned on the issue of whether the ADT has jurisdiction to consider appeals arising from requests for internal review declined by the respondent agency on the basis of being out of time. The ADT reached a similar conclusion in BQ — that it lacks jurisdiction to determine an application where an internal review application is made out of time.
And again like Y v DET, the respondent agency also submitted that the information at issue was not ‘personal information’ by reason of ,s 4(3)(j) of the PPIP Act. This issue was not dealt with by the ADT once it decided that it lacked jurisdiction to review the conduct of the agency.
The case of CP v New South Wales Ombudsman was decided on 20 June 2002, although it is effectively only an interlocutory judgment.
The particular issue with which this decision is concerned was whether the ADT has jurisdiction to hear and decide the applicant’s application for review ,of the conduct of the Ombudsman’s Office, given the immunity from ,civil proceedings granted to ‘the Ombudsman’ and ‘an officer of the Ombudsman’ under ss 35A and 35B ,of the Ombudsman Act 1974 (NSW). The Ombudsman had argued that ,such immunity extended to review proceedings under the PPIP Act, and had furthermore submitted that he (and/or his officers) did not constitute a ‘public sector agency’ for the purposes of the PPIP Act, and were therefore not subject to review under Pt 5 of the PPIP Act.
This ‘public sector agency’ argument was rejected by President O’Connor, who found that ‘the Ombudsman’s Office can be viewed as an entity separate from the Ombudsman within the meaning of para (d) of the definition of “public sector agency” in s 3 of PPIPA’.
President O’Connor also found that the general immunity from civil proceedings should be read subject to the PPIP Act — that is, the right to internal review and subsequent review by the ADT ‘operates as a modification to the general immunity’ conferred on the Ombudsman by ,s 35A. President O’Connor noted ,that while ‘it is in the interests of the efficient conduct of [the Ombudsman’s Office] that it not be tied up in collateral legal proceedings which distract it from its ordinary work’, the IPPs in the PPIP Act are ‘standards applicable to an important aspect ,of the administrative conduct of an agency (the handling of personal information)’. As such, review of the Ombudsman’s Office’s conduct with respect to its obligation to comply with the IPPs does not lead to the ‘scrutiny of the propriety of an Ombudsman’s substantive conclusions’ which the s 35A immunity was intended to avoid.
However, the Ombudsman has applied to the Supreme Court for judicial review of the Tribunal’s decision in this case.
The general awareness of privacy issues in the community appears to be steadily increasing, in particular since the introduction in December 2001 of Commonwealth private sector privacy laws. This continues to have dramatic impacts on the demands placed on Privacy NSW.
From 2000-01 to 2001-02 alone, the number of telephone, email and face to face inquiries received increased by 65 per cent. The total number of new core ‘files’ — being new formal complaints, written requests for advice and internal review oversight matters — have increased by 54 per cent since 2000-01.
In addition, as we have entered a ‘settling in’ phase with respect to the PPIP Act, the demands on this Office from public sector agencies has shifted. Rather than the initial requests for assistance in procedural matters, such ,as the development of Privacy Management Plans and training characteristic of the first few years since the Act’s introduction in 1998, requests for advice now tend to relate to ongoing assistance with large and complex projects, involving more substantive issues of statutory interpretation and application.
The Minister for Health released a draft Health Records & Information Privacy Bill for public consultation, and Privacy NSW was very involved in the development of the draft legislation. The revised Bill was tabled in Parliament in June 2002. The Bill recognises Privacy NSW as the key body charged with both policy development and complaints handling with respect to health records into the future. As at the date of writing, the Bill is yet to be debated. Privacy NSW has released a Position Paper on the Health Records & Information Privacy Bill.
Also in 2001-02, the NSW Law Reform Commission released its report on surveillance, recommending a comprehensive act to cover covert and overt surveillance in all forms and across all sectors. The proposal for a Surveillance Act again highlighted the role that the Privacy Commissioner is likely to take in this very complex and emerging area of concern with respect to privacy protection. Privacy NSW has released a Position Paper on the Law Reform Commission’s Report, which doubled as our submission to the Law Reform Commission.
The rapidly changing nature of technology has also given greater prominence to privacy considerations than ever before. Both the Privacy Commissioner and staff of Privacy NSW are in increased demand to sit ,on oversight committees, comment on technological issues, and be more pro-active in general community and policy debates about matters ranging from biometric technologies to the development of new surveillance techniques.
In the past two years, the Privacy Commissioner has given evidence at two parliamentary inquiries (the Parliamentary Inquiry into the Crimes (Forensic Procedures) Act 2000 (Cth) No 61 of 2000, and the Parliamentary Inquiry into Access to Information), ,and was (and continues to be) a member of the Innocence Panel, the steering committee for the Australian Law Reform Commission/Australian Health Ethics Committee reference ,on Protection of Human Genetic Information and the Oversight Committee for the Division of Analytical Laboratories DNA forensic testing facilities and operations.
Officers of Privacy NSW are members of the Inter-agency Working Party on Identity Theft, the Inter-departmental Committee on CCTV, the Working Party on the Implementation of the Child Protection (Offenders Registration) Act 2000 (NSW), the NSW Chronic Care Personal Health Records Steering Committee, the Working Group on Health Related Privacy Complaints and the Inter-agency Working Party on Alcohol Interlock Project.
More than 200 media inquiries to the Privacy Commissioner were dealt with in the past two years. The Privacy Commissioner and other staff of Privacy NSW have made 40 speeches and presentations on the PPIP Act and privacy issues in general during this ,two year period.
Although we do not yet have sufficient funding to offer a comprehensive education program ,for either respondents or members ,of the public, we have made some improvements in communicating with our stakeholders, by way of regular Privacy Contact Officer newsletters, Privacy Bulletins aimed at the general community and more regular updates to our website. We have also published on our website A Guide to the Workplace Video Surveillance Act 1998, and a number of Position Papers on topics ,of current political or policy debate.
In 2001-02, 351 written requests for advice were finalised. The requests came from State government agencies (47 per cent), private sector organisations ,(19 per cent), private individuals ,(13 per cent), Federal or other governments (8 per cent), local councils (6 per cent), Members of Parliament ,(5 per cent) and parliamentary inquiries (2 per cent). In almost 4 per cent of cases, the advice was requested by Privacy NSW from another agency.
The scope of the requests for ,advice was primarily the PPIP Act ,(62 per cent), but other common topics included surveillance legislation such as the Listening Devices Act 1984 (NSW) and the Workplace Video Surveillance Act 1998 (NSW) ,(5 per cent), the Privacy Act 1988 (Cth) (6 per cent), other legislation including draft bills (12 per cent), and specific projects or practices (9 per cent).
The types of information or practice at issue included medical/health records (17 per cent), surveillance, monitoring and physical privacy ,(13 per cent), personal contact details (12 per cent), identity/age records ,and identity theft (8 per cent), local government/land title records ,(8 per cent), record keeping practices of all types (7 per cent), criminal histories (5 per cent), credit/banking/ financial/tax records, employment records and court/tribunal activities ,(3 per cent each).
Of the 338 requests sent to Privacy NSW, 296 (88 per cent) were answered by way of advice, usually written. Of the 42 requests not responded to, the main reason for not responding was the inability to commit the time or resources (28 files, or 8 per cent of the total); these matters often related to requests for submissions to legislative reviews, parliamentary inquiries and ,the like.
Given the increased demand on the time of both the Privacy Commissioner and staff of Privacy NSW to sit on oversight committees and inter-agency working groups, and the expectation that the Privacy Commissioner will be more and more pro-active in general community and policy debates about matters ranging from DNA databases to the use of ‘smart cards’ on public transport, it is certainly of concern that Privacy NSW does not have the time and/or resources to deal with 8 per cent of the requests for formal advice that come to the Privacy Commissioner.
This situation will become exacerbated as the rapidly increasing number of requests for advice flows through the office. (Just from 2000-01 to 2001-02 the number of written requests for advice rose by 76 per cent, from 172 to 303, while telephone, face to face and email inquiries rose by ,65 per cent, from 1743 to 2884 per annum.)
Should the current pattern continue, as I have every reason to believe it will, Privacy NSW will become even more stretched unless further resources are provided quickly. Such a situation is obviously not ideal in terms of our commitment to the protection of human rights in NSW.
To this end an organisational restructure for Privacy NSW has been proposed to the NSW Attorney General’s Department, along with ,a request for additional funding. Discussions with the Department are continuing ... so watch this space! l
Anna Johnston,,NSW Deputy Privacy Commissioner.
 See <www.lawlink.nsw.gov.au/pc.nsf/pages/newsletterjun2002>.
 See <www.lawlink.nsw.gov.au/pc.nsf/pages/section41orders>.
 See <www.lawlink.nsw.gov.au/pc.nsf/pages/codesmade>.
 See <www.lawlink.nsw.gov.au/pc.nsf/pages/complaints> for the full Complainst Protocol.
 See <www.lawlink.nsw.gov.au/pc.nsf/pages/queanbeyan1>.
 See <www.lawlink.nsw.gov.au/pc.nsf/pages/reported>.
 See links at <www.lawlink.nsw.gov.au/pc.nsf/pages/cases>.
  NSWADT 149.
 Section 53(3)(d) of the PPIP Act.
 At para 16.
  NSWADT 64.
  NSWADT 103.
 See <www.lawlink.nsw.gov.au/pc.nsf/pages/positionpapers>.
 See <www.lawlink.nsw.gov.au/pc.nsf/pages/positionpapers>.