Privacy Law and Policy Reporter
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Law and Policy Reporter |
|
Graham Greenleaf
‘Reporting privacy complaints Pt 1: ,a proposal for systematic reporting of complaints in Asia-Pacific jurisdictions’ appeared in (2002) 9(3) PLPR 41. ,Part 3 of this article, which will cover Canadian privacy agencies, will appear in a subsequent issue of PLPR.
We now turn to a more detailed consideration, on a jurisdiction by jurisdiction basis, of the complaint reporting practices of Privacy Commissioners in the following jurisdictions in the Asia-Pacific:
The Privacy Commissioner for Personal Data, Hong Kong SAR, China can mediate complaints received, but can also issue enforcement notices where a breach of an Information Protection Principle (IPP) has been found, ‘directing the data user to take such steps as are specified in the notice to remedy the contravention’, according to s 50 of the Personal Data (Privacy) Ordinance (the Ordinance).[1] Failure to comply is a criminal offence.[2]
The Commissioner provides complaint statistics in his Annual Report. In 1999-2000, of 303 complaints formally completed 137 (45 per cent) were resolved through mediation, 13 per cent were found to be unsubstantiated on investigation, and 24 per cent were withdrawn. Of the 56 (18 per cent) which were formally resolved, 29 were found to involve contraventions of the Ordinance. These resulted in 21 warning notices, requiring written undertakings to implement remedies, with only four resulting in enforcement notices directing remedial actions.
The Office of the Hong Kong Privacy Commissioner for Personal Data (HKPCO) reports anonymised summaries of both complaints and enquiries on its website. The website of the HKPCO provides both Complaint Case Notes[3] and Enquiry Case Notes.[4] They are both indexed by the Data Protection Principle (DPP) or section ,of the Ordinance to which they relate, and by their subject matter (‘Sector/ Business’). A lot of Enquiry Case Notes are provided and they are up to date to at least 2001. However, there are only about a dozen Complaint Case Notes and they only date from 1997-98, so ,are four years out of date. A search engine is provided, but it does not ,seem to search the complaints or enquiries.
Section 48 of the Ordinance[5] provides ‘the Commissioner may, after completing an investigation and if he is of the opinion that it is in the public interest to do so, publish a report’ detailing the results of the investigation, his recommendations and comments. However, it must ‘prevent the identity ,of any individual being ascertained ,from it’,[6] but this right of anonymity does not apply to data users,[7] only to complainants and other third party individuals.[8] There has apparently been only one report which has named a data user, and it is not available on the Commissioner’s website.
A deficiency of the Commissioner’s reporting practices is that there is no systematic reporting of those complaints that have gone to the stage of formal resolution and a decision under s 50 whether to issue an enforcement notice (56 in 1999-2000). Such reporting would need to include significant decisions not to issue notices, as well as those where notices are issued. Given that the Commissioner does have enforcement powers, systematic reporting of at least significant complaints resolved under s 50 would ,be valuable.
There is no indication on the Commissioner’s website of those decisions under s 50 that have been taken on appeal to the Administrative Appeals Board (AAB) — although there have been approximately 20 such decisions — or those matters taken to the courts for judicial review. HKLII[9] proposes to publish the decisions if the AAB will make them available (this would include all decisions, not only those on privacy issues). AAB decisions are not yet available via the internet, nor published in any convenient form. Their existence is known only to government agencies and barristers involved in this area. The Commissioner intends to investigate further the publication of information about these decisions.[10]
The NZ Privacy Commissioner produces opinions concerning breaches of the Privacy Act 1993 (NZ) after investigating complaints, but only the Complaints Review Tribunal can give binding decisions.
The Commissioner releases periodic sets of complaint summaries both in print and on his website,[11] which is ,up to date to 2002. There were 20 summaries in 1994 and 24 summaries in 2001. The level of detail is considerably greater in the more recent summaries. While very helpful, some of the earlier complaints did not usually provide enough detail about the legal considerations involved in the complaint. The summaries are one of the best examples of the reporting of mediated complaints as distinct from formal determinations/decisions. They have useful catchwords indicating the IPP involved, but no index by IPPs or subject matter. The search engine will search the tables of contents of decisions, but has some bugs.[12] The Commissioner’s office does publish printed compilations of ,all casenotes periodically, including an indexed compilation of 120 casenotes from 1993 to December 2001.[13] The index, not yet on the website, identifies casenotes by sector/agency, words and phrases interpreted, and the IPP and statutory provision interpreted.
The Commissioner’s Guide to Preparing Privacy Commissioner’s ,Case Notes states that:
The purpose of a case note is to enable someone who has not read the Commissioner’s formal opinions to understand the essential conclusions that he reached. ... The case note writer must express clearly the Commissioner’s opinion and the reasons for it. ... The case note needs to briefly set out the facts relevant to the legal points at issue and the Commissioner’s findings.[14]
The NZ Commissioner’s general practice[15] is that the complainant is ,not to be named. The default position ,is not to identify respondents, but with exceptions as explained below:
... the respondent will not be named unless it is essential to the understanding of the case, or if the Commissioner has decided ,to publicly identify the respondent.
It is usually (but not always) necessary to name government departments to enable the case note to make sense. For example, a case note involving the police will always identify the respondent as the police and not simply as ‘a respondent’, ,‘a government department’ or a ‘law enforcement authority’, as any such ,label may lead to misunderstandings. ,On the other hand, a case concerning a government department’s disciplinary records in respect of which the identity ,of the respondent was irrelevant could ,be reported in more generic terms.
Therefore, public sector respondents will normally be named but private sector ones will not. The basis on which the Commissioner will decide to name ,a private sector respondent is not discussed. Perusal of year 2002 complaints reported by the Commissioner shows that some ,private sector respondents are identified (‘Fourth Estate Holdings Limited’, a media body), but some are not (‘a life assurance company’, ‘a club’), and most but not all government agencies are identified.
In addition, the Commissioner’s Annual Report does name the year’s ‘Top 8 Respondents’, most of whom were public sector agencies, apart ,from Telecom and Baycorp (a credit bureau).[16]
There is no indication on the Commissioner’s website of which decisions by the Commissioner have gone to the Complaints Review Tribunal for enforcement proceedings, or the outcome of those proceedings. However, this information is available in printed form of facsimile judgments from the Commissioner,[17] and contains 68 decisions in little more than two years, covering 268 pages. It is therefore expensive (NZ$45) and, in effect, unavailable to anyone except the privacy cognoscenti.[18] This publication is the largest body of law on the NZ privacy legislation. It is both a credit to the Privacy Commissioner and an indication of why NZ courts and tribunals need ,to lift their game in the publication of important case law. Here is a jurisdiction that actually has some privacy law, if only it could be found.
At the very least, the NZ Commissioner could list the title of all enforcement actions to the Tribunal, their outcomes, and the titles of any further appeals. He could also list any other court actions in which his Office ,is involved, or actions of which he is aware that involve the Privacy Act.
The Australian federal Privacy Commissioner is unusual in that he ,has powers under the Privacy Act ,1988 (Cth) that allow him both to mediate complaints, and to make ‘determinations’ under s 52 that respondents should provide various remedies, including that they should ,pay monetary compensation.[19] Resolution of complaints by the Commissioner, whether by mediation ,or determination, is therefore very significant, given his powers.
In the 13 years of the Privacy ,Act’s operation (1988-2002), the Commissioner has only twice made determinations under s 52, and in these cases formal written determinations explaining the decisions (probably required by s 52) were made public. It is some measure of the lack of importance the Commissioner places on publishing his decisions that they are not available on his website, or in the official looseleaf service published with his Office’s assistance.[20] Details can only be found in summary form in the Privacy Law & Policy Reporter[21] or in the Commissioner’s 1994 Annual Report.[22]
Brief details of a handful of complaints are provided in the Commissioner’s annual reports. For example, his Annual Report 1998-99 gives brief details of nine settled complaints (out of 91 closed that year), but not the details of all the complaints resulting in compensation. Even these minimal details were dropped from the 1999-2000 Annual Report, but the 2000-01 report[23] reinstates the practice of reports on a dozen complaints, each ,a couple of paragraphs in length. The details are not enough for anyone to understand the legal significance ,(if any) of the issues resolved by ,the Commissioner in resolving the complaint. This reporting is more in the nature of a public relations exercise, and does not provide any useful guidance ,on how the Commissioner interprets ,the Act, or guidance on the types of remedies that the Commissioner typically negotiates.
The Commissioner’s website[24] does not include any details of the resolution of particular complaints.[25] It is therefore not possible to find any consolidated set of examples of how the Commissioner deals with complaints. The Commissioner says that his reporting policy is under review and will involve more complaint reporting in future.[26]
The practices of the Australian federal Commissioner illustrate best how non-publication of complaint resolutions can increase the danger that Privacy Commissioners will ‘bury their mistakes’ (such as misinterpretations of the law, failure to investigate and failure to provide adequate remedies) by making them less likely to be subjected to the scrutiny of the parties, their advisers, the press or scholars. Acts and practices in other jurisdictions may raise similar problems, but the very low level of complaint reporting by the Australian federal jurisdiction, even though the Commissioner has determinative powers, makes it the logical jurisdiction on which to focus as an example of potential problems.
As noted above, no complaints are dealt with under s 52, which at least requires that a written determination be provided to the parties (but does not require broader publication). Most complaints are dealt with under ,s 41(2)(a), the Commissioner explains:
This process [conciliation] has been very successful in the existing jurisdiction and usually results in our Office closing the complaint under s 41(2)(a) on the grounds that the respondent has adequately dealt with the matter. Moreover, in the vast majority of complaints over the last five years, resolution has not involved monetary compensation. Less than 6 per cent of complaints have involved financial compensation. In all but a few serious matters, the amounts have been very modest ($500-$2,000).[27]
Section 41 does not require any written report on a complaint; it merely allows the Commissioner to decide not to investigate further. Under s 41(2)(a), it ,is the Commissioner’s opinion, not necessarily the complainant’s view, that the respondent has dealt with the matter adequately.[28] Are all complainants dealt with under s 41 genuinely satisfied with the resolution? Do they receive a written explanation from the Commissioner setting out the interpretation of the Act on which the Commissioner thinks it would be sensible for them to settle their complaint? Do they settle because they consider that the terms offered, even if inadequate, are the best they will get from a Commissioner’s determination in any event, and because they have no right of appeal?[29]
Investigations may also be terminated because the Commissioner thinks there ,is no breach of the Act[30] or because ,‘the complaint is frivolous, vexatious, misconceived or lacking in substance’.[31] In these latter two cases, the Commissioner could proceed to make ,a determination under s 52(1)(b) ‘dismissing the complaint’, but this would require a written determination to be made setting out reasons. How many complainants are aware they could press for a s 52 dismissal determination?
Of course, if complainants know enough administrative law, they can get a statement of reasons for a s 41 decision under the Administrative Decisions (Judicial Review) Act 1977 (Cth), and they can even subject the Commissioner to judicial review of his s 41 decision. How many complainants know about this? There is at least one Federal Court decision where the Commissioner’s refusal under s 41 to investigate further was remitted back to the Commissioner for reconsideration,[32] but the only published decisions of judicial review ,of decisions by the Commissioner were on misconceived grounds.[33]
The lack of any rights of appeal for complainants, the Commissioner’s practice to avoid making s 52 determinations, the lack of cases of judicial review of s 41 refusals to investigate further and the Commissioner’s practice not to publish any meaningful details of mediated or dismissed complaints, taken together, prevents any accountability by the Commissioner for his handling of complaints. The Australian Privacy Commissioner’s Office has become a ‘black hole’: many complaints enter, ,but no privacy law or practices ever escape to receive public scrutiny.
I have no clear idea whether these dangers have been realised in incorrect decisions and inadequate remedies; the lack of public information prevents accountability. Even if the Australian federal Commissioner’s staff are scrupulous in avoiding the dangers described, justice is not being seen to be done. Systematic reporting practices would ameliorate some of these deficiencies in the legislation.
The Commissioner describes his approach as ‘based on using the lowest cost, lowest profile approach that the complainant and respondent organisation will allow’.[34] He has decided that it is only in ‘rare circumstances’ that he will consider identifying a company that is ,the subject of a privacy complaint. Information Sheet 13, The Privacy Commissioner’s Approach to Promoting Compliance with the Privacy Act,[35] states that the normal anonymised approach will be as follows:
The Office includes in its annual report some cases studies on complaints it has handled and investigations it has carried out. These are reported in summary form and do not generally identify the complainant or respondent. With the new private sector provisions, the Office plans to add to this approach by publishing more frequent, de-identified case notes on complaints it has handled. The aim of these will be to help organisations and the community understand the way the Office applies the provisions of the Act and, where relevant, the provisions of approved codes.
The circumstances where respondents (companies and so on) will be named are as follows:
On occasion there may be some merit in making public the circumstances of a particular complaint or investigation. ,This may be, for example, where there ,is already publicity around a particular matter before it reaches the Office or where, despite all the other approaches ,the Office has taken, an organisation continues to engage in behaviour that constitutes an interference with privacy. This would clearly be a serious step which could have commercial consequences for the organisation concerned. It would only be appropriate in rare circumstances. ,In the ordinary course of events, the Commissioner would not consider ,such a step unless:
This conjunction of requirements means that, no matter how repeatedly ,or seriously a company has breached ,the Privacy Act, if it demonstrates an intention to mend its ways it will not be named at the Privacy Commissioner’s initiative. It would be more appropriate ,if only one of these conditions needed to be satisfied before a respondent was named. ‘Name and shame’ has been unnecessarily blunted as a weapon in ,this Commissioner’s armoury.
As it stands, the only likely way that the identities of privacy invading companies will be known is where complainants have the courage to go public and the media reports the offenders, or the complainant pushes ,for a formal determination under s 52. The two s 52 determinations made by previous Commissioners in the past 13 years have been published and have identified the respondent departments, but Information Sheet 13 is silent on whether that practice will be followed in future.
Even more restrictive, the reporting of identified complaints is completely eliminated if a complaint is dealt with under an industry privacy code (Pt IIIA ,of the Act). The Privacy (Private Sector) Regulations 2001 set out in Sch 1 ‘Prescribed standards for procedures relating to complaints’, which gives the Commissioner his instructions from the government as to what industry codes ,he can and cannot approve. Part 5 ‘Accountability’ states under ‘Principle’ that ‘Reports of determinations and information about complaints must be published ...’, but in fact only mentions determinations. In relation to determinations it includes the initially positive requirement in cl 5.2 that ‘(1) Written reports of determinations by an independent adjudicator must ... (b) be made available to any other interested person or body’ but unfortunately then provides that ‘(4) A report must not: (a) name any complainant or respondent organisation’.[36] The ‘determinations’ made by Code adjudicators are ,supposed to be the same as those made under s 52 (s18BB(3)(d)), so there appears to be an inconsistency between previous practice and the Regulations. Part 5 says nothing about publication ,of details of other complaints which ,are resolved by mediation rather than ,a determination, so there is no reason ,to assume that the Commissioner’s approach to providing de-identified summaries will be followed by Code authorities.
This example demonstrates one of ,the dangers of co-regulation: less accountability for the co-regulatory bodies through weaker reporting requirements.
The only details of complaint mediations by the NSW Privacy Commissioner (and the previous NSW Privacy Committee, operating since 1975) are a few complaints summarised ,in each annual report. The NSW Commissioner’s Office states that it is at present unable to prepare case summaries due to resource limitations, except for annual reports, and these are also two years in arrears. However, the Commissioner has applied for funding for a new computer system which will require preparation of an anonymised complaint summary when a file is closed.[37]
The two year lag in annual reports means that no reporting of complaint resolutions under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act)[38] has yet occurred.
At present, no details of complaint resolutions by the Commissioner are available on the Commissioner’s website,[39] with one exception mentioned below. Not even old annual reports are included. However, the website does provide two other important forms of information about complaint enforcement under the PPIP Act.
The website includes a link to all appeals[40] to the NSW Administrative Decisions Tribunal (ADT) under the Act, and will presumably also include links to court decisions once any arise. However, the three ADT decisions listed on the site do not quite give a comprehensive picture of judicial consideration of the PPIP Act, as a search over AustLII reveals five additional decisions mentioning the legislation, at least one of which is of some significance. This is merely raised ,to illustrate the point that courts or tribunals, other than those which may have an explicit role in appeals or judicial review under an Act, may contribute to the Act’s interpretation, and it is valuable for Commissioner’s sites to list all judicial sources of interpretation.
The PPIP Act makes specific provision for written reports on complaints under ,s 50 and s 65. The Commissioner’s website includes links to special reports to Parliament by the Commissioner under s 65. Since 1998, the Commissioner has made two such reports,[41] identifying the respondents and criticising their conduct. The permissible content of s 65 reports was contested during the Aquilina investigation[42] and this has not yet been resolved by the courts.
The Commissioner does not publish ,all s 50 investigation reports because ,s 50 restricts publication to the parties concerned. Legal advice received by the Commissioner is that s 65 (Special reports to Parliament) are the only means of publishing more widely the details of complaints unless one of the following apply:
(1) the matter has been the subject ,of a special report to Parliament;
(2) Privacy NSW has obtained the consent of the complainant, and the consent of the respondent if the respondent’s personal information ,is also at issue; or
(3) the complaint has been de-identified.[43]
It seems therefore that the NSW Commissioner may have a limited ability to name respondents in published reports, but has not yet utilised his ability to systematically report anonymised complaint resolutions.
Australia — other jurisdictions
The Victorian Privacy Commissioner[44] started to handle complaints under Victorian legislation on 1 September 2002, and does not yet have a stated policy on complaint resolution and publication.
The Queensland Information Commissioner[45] publishes the full text of all his decisions,[46] and maintains details of all judicial reviews of his decisions.[47] However, these are only binding determinations on access and correction complaints, as the Freedom of Information Act 1992 (Qld) (FOI ,Act) does not deal with other IPP complaints. Similarly, the WA Information Commissioner[48] publishes the full text of all decisions since 1994,[49] and indexes them by sections of the FOI Act, by catchwords and so on. Once again these are limited to access and correction complaints, as the legislation deals only with FOI.
The fully reasoned decisions of both Information Commissioners are good examples of reasoned determinations ,by Commissioners (not, however, complaint resolutions by conciliation), and the majority of their decisions deal with access to and correction of personal records. These are important aspects of IPPs, and it is hard to see why questions of collection, disclosure, security and use are so much harder to document than access and correction decisions.
Graham Greenleaf, General Editor.
The concluding part of this article, covering Canadian privacy agencies, will appear in a subsequent issue of PLPR.
[1] See <www.hklii.org/hk/legis/ ord/pdo275/s50.html>.
[2] Section 64(7) at <www.hklii.org/hk/legis/ord/pdo275/s64.html>.
[3] See <www.pco.org.hk/english/casenotes/case_complaint.php>.
[4] See <www.pco.org.hk/english/casenotes/case_enquiry.php>.
[5] See <www.hklii.org/hk/legis/ord/pdo275/s48.html>.
[6] Section 48(3).
[7] Section 48(4)(b).
[8] See Berthold M, Wacks R Data Privacy Law in Hong Kong FT Law and Tax Asia Pacific 1997 p 205 for more discussion.
[9] Hong Kong Legal Information Institute <www.hklii.org>.
[10] Personal communication.
[11] See <www.privacy.org.nz/people/casenote.html>.
[12] In particular, it will list individual complaints in its search results, but cannot display them (17 July 2002).
[13] Published by the Commissioner, March 2002.
[14] 1995, revised 2002; available on request from the NZ Commissioner.
[15] Guide, number 20.
[16] Annual Report 2000-1 Table 8.
[17] NZ Privacy Commissioner Complaints Review Tribunal Privacy Cases 1998-2002 (Vol III), NZ$45.
[18] Those with even deeper pockets can find some of the decisions in Paul Roth’s Privacy Law and Practice looseleaf service Butterworths, NZ.
[19] A de novo hearing before a court is necessary in order to enforce a determination (s 55A), but the determination is prima facie evidence of the facts on which it is based (s 55B).
[20] Federal Privacy Handbook, looseleaf service CCH Australia Ltd.
[21] Determination: Secretary, Department of Defence 1 PLPR 152 available at <www.austlii.edu.au/au/journals/PLPR/1994/116.html>; Determination: Minister for Administrative Services 1 PLPR 170 available at <www.austlii.edu.au/au/journals/PLPR/1994/127.html>.
[22] Above note 1.
[23] See <www.privacy.gov.au/publications/01annrep.pdf>.
[24] See <www.privacy.gov.au/>.
[25] A minor exception is that PDF versions of the (pre-1999) Annual Reports are located obscurely, hidden ,in fact, on the site. They are ‘hidden’ in the sense that they are not listed in the table of contents or even the site map ,at <www.privacy.gov.au/site-map/index.html> but can be found if you search for them (17 July 2002). The contents are not searchable, only the title ‘Annual Report’. This is not effective as publication.
[26] Personal communication.
[27] Letter by Federal Privacy Commissioner to the Australian Chamber of Commerce and Industry (ACCI) August 2001.
[28] Consumer advocates are adamant that some of their clients have very reluctantly accepted proposed settlements on the basis that the Commissioner was proposing to deal with their complaint under this section, and they feared that if they insisted on a s 52 determination they would receive even less: personal communications.
[29] Above note 5, concerning how the lack of appeal rights is biased against complainants.
[30] Section 41(1)(a).
[31] Section 41(1)(d).
[32] Matter D17 of 2000, Federal Court, Darwin. No judgment was delivered, and the transcript is only available to the parties.
[33] Gao v Federal Privacy Commissioner [2002] FCAFC 128; BC200202380; Mario Riediger v Privacy Commissioner [1998] FCA 1742 ,(23 September 1998).
[34] Above note 27.
[35] See <www.privacy.gov.au/publications/is13_01.html>.
[36] This is one small example of how the Regulations are systematically biased against complainants and against the public interest in accountability,
[37] Personal communication, Office of the NSW Privacy Commissioner.
[38] See <www.austlii.edu.au/au/legis/nsw/consol_act/papipa1998464/>.
[39] See <www.lawlink.nsw.gov.au/pc.nsf/pages/index>.
[40] See <www.lawlink.nsw.gov.au/pc.nsf/pages/cases>.
[41] Investigation Report into a complaint by Carol Atkins against ,Mr Hugh Percy and Queanbeyan ,City Council Special Report No 1, September 2001 available at <www.agd.nsw.gov.au/pc.nsf/pages/queanbeyan2>; Special Report to NSW Parliament under section 65 of the Privacy & Personal Information Protection Act 1998, Complaint by Student A and his father against Hon John Aquilina MP, Mr Walt Secord, ,Mr Patrick Low Special Report No 2, ,7 May 2002 available at <www.agd.nsw.gov.au/pc.nsf/pages/reported>.
[42] Student A v Aquilina, Secord, and Low, Special Report No 2, 7 May 2002 available at <www.agd.nsw.gov.au/pc.nsf/pages/reported>.
[43] Personal communication, Office of the NSW Privacy Commissioner.
[44] See <www.privacy.vic.gov.au/>.
[45] See <www.slq.qld.gov.au/infocomm/>; also decisions 1993- on AustLII at <www.austlii.edu.au/au/cases/qld/QICmr/>.
[46] See <www.slq.qld.gov.au/infocomm/listdec.html>.
[47] See <www.slq.qld.gov.au/infocomm/reviews.html>.
[48] See <www.foi.wa.gov.au/>.
[49] See <www.foi.wa.gov.au/Decisions.htm> and on AustLII at <www.austlii.edu.au/au/cases/wa/WAICmr/>.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/2002/37.html