Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Horton, Jonathan --- "The Queensland privacy scheme" [2002] PrivLawPRpr 5; (2002) 8(8) Privacy Law and Policy Reporter 166

The Queensland privacy scheme

Jonathan Horton

This Reporter previously anticipated the introduction of a legislation free privacy regime for the Queensland public sector.[1] That regime became a reality late last year when an earlier Cabinet decision was given effect by implementing a privacy scheme through administrative means.[2] The relevant administrative instruments are Information Standard 42 (and accompanying guidelines) and Information Standard 42A. This article will comment on the scope of those instruments, the relatively novel mechanism through which the privacy regime has been established, and just what the public sector agencies will be required to achieve.

Information Standard 42: public sector bodies

Information Standard 42 applies to accountable officers and statutory bodies. Accountable officers are chief executives of departments, other persons appointed by the Treasurer as such, the Clerk of the Parliament and the Governor’s Official Secretary. Local government and the Queensland Department of Health are expressly excluded, although the Attorney General has publicly encouraged local government to adopt the same standards.

There seems to be uncertainty as to whether government owned corporations (GOCs) are automatically covered by the new scheme, but that matter can merely be noted here and left for another day.[3] There is also the real possibility that some of the so-called ‘Company GOCs’ will fall within the Privacy Act 1988 (Cth), provided the purpose of their establishment was not a public purpose.[4]

Information Standard 42 applies the Information Privacy Principles (IPPs) from the Privacy Act with only some differences. First, understandably there is no requirement to give the Privacy Commissioner a copy of the record relating to the nature of the records kept in accordance with Principle 5. Second, personal information is to be interpreted more narrowly for the purposes of IPPs 6 and 7 (accessing and altering records), being limited to information concerning an individual’s personal affairs.[5] Third, rights of access and correction are limited to existing rights under the Freedom of Information Act 1992 (Qld).

Information Standard 42A: Queensland Department of Health

Information Standard 42A applies only to the Queensland Department of Health and adopts the National Privacy Principles (NPPs) recently inserted into the Privacy Act. There are just a few alterations to the NPPs:

• an additional requirement that a collection notice is not necessary where the information is a statutory collection (see the new cl 1.6 in NPP 1);
• several clauses have been removed on the basis that they are not considered relevant to the Queensland Department of Health — cll 2.3 (exchanging information between related bodies corporate), 7.1 (adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances), 7.2(c) (again, relating to the use of prescribed identifiers by prescribed organisations), 10.1(d) (sensitive information collection by non-profit organisations), and 10.5 (definition of a non-profit organisation); and
• the removal of cl 6 (concerning the rights of access and correction) — a note in the Information Standard indicates that the right of access and correction is limited to the Freedom of Information Act and/or the Department of Health administrative access to health records policy.

The Queensland Government considered that, by applying the substance of the NPPs to the Department of Health, a nationally consistent approach between public and private health sectors would be ensured.[6]

General comments

The real interest of the Queensland administrative scheme lies not so much in the substantive principles that apply, but in the manner of the scheme’s establishment. As will be seen from what follows, the Queensland public sector is under a somewhat diluted obligation to adhere to the relevant principles — there is no legal consequence of breaching the Information Standards, no public rights of action are created for infringements of privacy (no matter how serious) and no independent officer or body exists to oversee the scheme and ensure adherence to it.

Standard of compliance

The Information Standards are said to be issued pursuant to two sections of the Financial Management Standard 1997 (Qld), namely, ss 22(2) and 56(1).[7] Section 22(2) requires the accountable officer or statutory body to develop a plan for the agency’s ‘information and communication technology resources’ which is consistent with the mandatory requirements of each Information Standard. Section 56(1) provides that an agency’s systems for financial information management must deal with the issues of recording, storing, keeping, retrieving and destroying financial information.

In short, the standard of compliance required from government organisations covered by the Information Standards is not high. ‘Developing a plan which is consistent with’ and ‘dealing with’ are not tests that are traditionally regarded as imposing a very high degree of compliance. They simply require that the appropriate matters are taken into consideration, and, where appropriate, adopted or applied. Ultimately, however, a wide discretion is conferred. One of the main problems with the requirement of developing a plan consistent with the mandatory requirements of the Information Standard is that only very few provisions of that Standard are labelled as mandatory. Those provisions are set out below. None of those requirements demands a direct adherence to the IPPs; just that a privacy plan be developed and implemented.

In the event of a breach, the relevant Cabinet decision vests responsibility in the chief executive of public sector entities ‘in keeping with agency level responsibilities for addressing complaints associated with breaches of a code of conduct’. It will not be lost on most readers that the responsibility for resolving complaints rests with precisely the same officer who has the obligation to comply with those Standards.

Other additional obligations which are imposed by the Information Standards (and labelled mandatory) ought to be briefly noted. Departments and agencies must:

• nominate a contact officer to be the first point of contact for privacy issues within their own agency;
• develop privacy to give effect to the principles;
• publish privacy plans on their websites (before April 2002);
• implement the privacy plans (within two years);
• review and update privacy plans annually;
• develop and publish privacy and security statements;
• be responsible for access and correcting records; and
• be responsible for the complaint resolution mechanisms.

One final point is that both Information Standards use as their point of distinction, the Queensland Department of Health: one excludes it, the other is confined to it. The distinction might be more effective if, as with the Commonwealth scheme, it was drawn on the basis of the nature of the information itself, and not the body in whose hands the information rests. The result is that health information held by other State agencies will not come within Standard 42A and regulation by the NPPs, and therefore will be outside the nationally consistent approach.

Conclusions

It might be going too far to say that the new privacy scheme in Queensland goes a long way in terms of setting clear incentives for government agencies to protect personal information. At best, it is an important first step, which may serve to initiate the important cultural change required to create a level of commitment to the privacy principles. Although the Queensland scheme does not go quite so far as it might, the administrative process is under way and its substance is generally consistent with the approach in other jurisdictions. In an administrative sense, the Department of Justice and Attorney General has the primary responsibility for the privacy regime, and within it, a specialised privacy unit. However, in the absence of a specific allocation of funds to agencies by the Queensland Government, there is a live issue regarding just how effective this scheme will ultimately be when it comes to those agencies putting it into practical effect.

Jonathan Horton, Solicitor, Minter Ellison Lawyers, Brisbane.

The research assistance of Ian Hanrahan, Summer Clerk at Minter Ellison, is acknowledged.

[1] (2001) 7(8) PLPR 168.

[2] Cabinet decisions of December 2000 and September 2001.

[3] Compare Government Owned Corporations Act 1993 (Qld) s 127 (comments that the Financial Administration and Audit Act 1977 (Qld) applies to statutory GOCs as if they were statutory bodies within the meaning of that Act) and comments in Information Standard 42 (to the effect that the Standard applies to statutory GOCs where the relevant shareholding Minister provides notification of such pursuant to the Government Owned Corporations Act 1993 (Qld) s 123).

[4] Privacy Act 1988 (Cth) s 6C.

[5] See Freedom of Information Act 1992 (Qld) s 44.

[6] See Department of Justice and Attorney General ‘Queensland Privacy’ Fact Sheet No 29 September 2001.

[7] The empowering Act is the Financial Administration and Audit Act 1977 (Qld).