Privacy Law and Policy Reporter
The complaint resolution reporting practices of Asia-Pacific Privacy Commissioners were examined and criticised in a series of articles in this volume of PLPR (G Greenleaf ‘Reporting privacy complaints Part 1: A proposal for systematic reporting of complaints in Asia-Pacific jurisdictions’ (2002) 9(3) PLPR 41; ‘Part 2: Complaint reporting practices of Asia-Pacific Privacy Commissioners’ (2002) 9(4) PLPR 74-79; and ‘Part 3: Complaint reporting practices of Canadian Privacy Commissioners’ (2002) 9(6) PLPR 111-115). There have now been significant improvements in the reporting practices of Commissioners in a number of jurisdictions.
Most notable is that the Australian Commonwealth Commissioner has commenced reporting complaints in significant detail for the first time. Since the end of 2002 the Commissioner has commenced online publication of selected complaints, resulting in the publication ,of four complaint summaries from December 2002 to February 2003 (see <www.privacy.gov.au/act/casenotes/index.html>). The Commissioner states that ‘[most] cases chosen for inclusion in case notes involve new interpretation of the Act or associated legislation, illustrate systemic issues, or illustrate the application of the law to a particular industry’. The complaint summaries published as yet are reasonably detailed, averaging 1.5 pages, giving more detail than has been found previously in Annual Report summaries. On the examples available so far, the complaint summaries are quite detailed. They refer specifically to those privacy principles and sections of the legislation on which resolution of the complaint turned; they indicate whether the Commissioner’s Office considered ,that the complaint appeared to involve breaches (as these are mediated complaints, no final decision on this point is made by the Commissioner); and they indicate the remedies provided to the complainant. Any prospective complainant or respondent, or their advisors, would find them very helpful. Summaries of, and comments on, these complaint reports will now appear regularly in PLPR, commencing with ,this issue.
The value of the four complaint summaries published so far illustrates how damaging it has been to the public understanding of privacy law in practice that no equivalent summaries have been published from 1989 to late 2000. Even at a rate of one complaint per month, there would be a body of more than ,150 complaints to draw on by now. ,It would be beneficial if the Commissioner instituted a program of retrospective publication of the most significant complaints investigated by ,his office in the last decade, even if this only amounted to a few per year.
In response to the articles in PLPR, ,the NZ Privacy Commissioner’s Office reconsidered its reporting practices in consultation with AustLII, and has now adopted a citation style with utilises the citation method recommended here, plus a succinct but descriptive approach to case titles. The NZ PCO internal case reference number is retained as part of the title. Government respondents are often named (at least by abbreviation such as ‘ACC’). Examples of cases from 2002 are as follows.
Summaries of, and comments on, selected NZ cases will also now appear more regularly in PLPR.
The Australian Privacy Commissioner, after discussions with AustLII, has also now adopted the same citation method as NZ, but has adhered closer the case title method suggested above. The first four examples published are:
The approach taken by both Commissioners seems workable. If other Commissioners start to adopt a generally acceptable method of citation, this will provide many benefits.
An increased range of databases ,of decisions by Commissioners and Tribunals on privacy cases is now available.
The most notable is the ‘New Zealand Privacy Commissioner Cases’ database on AustLII <www.austlii.edu.au,/nz/cases/NZPrivCmr/> which already includes decisions back to 1998. The Australian Federal Commissioner has agreed that AustLII can create a database of his complaint reports, and the Hong Kong Commissioner is considering the offer to include his decisions on HKLII <www.hklii.org/> and WorldLII <www.worldlii.org/>.
There are also an increasing number of decisions on the NSW privacy legislation available in the database of the NSW Administrative Decisions Tribunal <www.austlii.edu.au/au/cases/nsw/NSWADT/>, as illustrated below.
DO applied for admission to a PhD program at the University of New South Wales (UNSW), which is an agency for the purposes of the Privacy and Personal Information Protection Act 1998 (NSW). In his application ,DO signed a declaration stating in part that:
I authorise the University to obtain official records from any tertiary institutions previously attended by me. If any information supplied by me may be considered to be untrue or misleading in any respect, I understand the University may take such action as it believes necessary ... I understand that the University reserves the right to vary or reverse and decision made on the basis ,of incorrect or incomplete information.
Under the heading ‘Academic Qualifications’ DO indicated he had obtained two qualifications from Australian National University (ANU). DO was admitted to the program ,but his enrolment was subsequently terminated by UNSW which stated ‘you did not declare on your application for admission to the PhD program your previously (sic) enrolments at the University of Adelaide (1997), the University of Queensland (1998), Macquarie University (1999) and the University of Tasmania (2000 and 2001)’.
DO complained that UNSW breached the Act by obtaining personal information about him from universities (other than ANU) without his consent. UNSW conducted an internal review which concluded that it had not acted outside the authority provided by DO in collecting information from the other universities. DO sought a review of UNSW’s conduct by the ADT under ,s 55 of the Act.
Deputy President Hennessy dismissed the application. There was no breach of information privacy principle (IPP) 8 (s 8) because UNSW had collected the information from the other universities for the lawful purpose of considering whether DO was an appropriate person to enrol in a PhD program, and information about his previous academic history was reasonably necessary for this purpose.
IPP 9 (s 9) requires that personal information must be collected ‘directly from the individual to whom the information relates’ unless ‘the individual has authorised collection of the information from someone else’. Hennessy DP held the declaration DO signed authorising UNSW to obtain information ‘from any tertiary institutions previously attended by me’ was not qualified in any way and did authorise the collection that took place.
Although Hennessy DP’s decision is not surprising, the case illustrates the risk of breaching IPP 9 that NSW agencies face if they obtain personal information from third parties without first obtaining authorisation from the individual concerned.
IPP 9 has a threefold effect in that:
It is also important that IPP 9 does not prevent the agency from checking with a third party that the information provided by individual is correct or complete.
In this case, UNSW did not appear (on the facts reported) to explicitly ask DO to list all universities he had attended. However, it did obtain authorisation to obtain personal information from all such institutions. ,If (as would be more usual) UNSW ,had explicitly asked DO to list all universities he had attended, UNSW would still have been entitled to check the information he provided with those universities (provided this complied with IPP 8).
The Privacy Act 1988 (Cth) imposes requirements on private sector organisations concerning collection from third parties (it imposes no such requirement on Commonwealth agencies). NPP 1.4 provides that:
If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.
It goes on to say in NPP 1.5 that:
If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
These obligations are very different from those imposed on NSW agencies: there is no obligation to obtain the individual’s authorisation to collect from third parties (though NPP 1/4 imposes an obligation of notice in general terms), but the information must also be collected from the individual wherever reasonable and practicable; and agencies must not check with third parties if it is reasonable not to check.
While the NSW agency provisions and the Commonwealth private sector provisions are rather different, in general the NSW provisions impose ,a higher level of obligation. The Commonwealth agency provisions impose none.
C, an employee of a Commonwealth agency, applied for a position with another Commonwealth agency and nominated as a referee his supervisor. The position principally involved answering telephone enquiries from ,the public. C complained that the supervisor disclosed to the other agency that he suffered from epilepsy and depression; was on sick leave; and ,did not cope well under stress.
The defences for disclosing this personal information potentially open to the agency under Privacy Act 1988 (Cth) IPP 11 were that IPP 11.1(a) provides that a disclosure is permitted when the individual concerned is reasonably likely to be aware that information of that kind is usually passed to the relevant person, body or agency; and that IPP 11.1(b) provides that personal information may be disclosed with consent (express or implied) of the individual.
The Commissioner considered that the disclosure of the personal information about epilepsy and sick leave was not permitted by IPP 11.1(a) because C ‘was not reasonably likely to be aware that the referee would disclose medical information in the course of providing a reference’. Nor did 11.1(b) apply because:
... while the complainant impliedly consented to the disclosure of a range of personal information relating to skills, work experience and personal attributes relevant to the advertised position, information about medical conditions and past sick leave taken could not be construed as within the scope of implied consent.
However, the Commissioner considered that the disclosure about C being susceptible to stress did not contravene IPP 11 because ‘susceptibility to stress is a normal human characteristic properly relevant to employment’ and so (under IPP 11.1(a)) C was ‘reasonably likely to be aware that judgements of this kind could be conveyed to the interview panel’, and (under IPP 11.1(b)) by nominating a referee C had impliedly consented to disclosure of this information.
The result was that the Commissioner ceased investigation when the agency apologised to the complainant and ,paid compensation of $7000.
The complaint is significant in illustrating that considerable financial compensation can result from breaches of the IPPs by Commonwealth agencies.
It would be informative if the Commissioner explained in his casenotes, as a general practice, why it is not appropriate to name a particular Commonwealth agency respondent.
A woman supplied a temporary protection order to the Electoral Enrolment Centre (EEC) to support her claim to be on the unpublished electoral roll because of concern about her safety. A man, who was listed as the ‘respondent’ on the order, noticed that she was not listed on the electoral roll. He wrote to the EEC suggesting that the woman should not be on the unpublished roll as the protection order was no longer current. The EEC wrote to the woman about the matter. She supplied new material to the EEC in order to remain on the unpublished roll.
The man then requested under Principle 6 of the NZ Privacy Act 1993 (access to personal information about him) access to the information used by the woman to support her claim to remain on the unpublished roll.
The EEC refused the request on ,the basis of s 29(1)(a) of the Privacy Act 1993, that disclosure of the information would be an unwarranted disclosure of the affairs of another individual. The principal issue was that some of the information was personal information about both the man and the woman. Where there is ‘mixed’ information, a balance must be struck between the requester’s right of access to personal information against the other person’s interest in protecting his or her privacy. The Commissioner considered that:
The meaning and scope of ‘affairs’ has been held by the Complaints Review Tribunal to refer to the ‘ordinary pursuits of life, business dealings, public matters’ (O and Others v N, CRT 19/94, decision no. 4/96). ‘Affairs’ generally requires a course of conduct on the part of the individual, although a single event or action which relates to a course of conduct by that individual might be construed as their ‘affairs’. ‘Unwarranted’ has been understood in this context to mean ‘unjustified’ or ‘without good and sufficient reason’. This requires a weighing of the parties’ respective and competing interests in order to decide whether access (or refusing access) can be justified in the circumstances.
The Commissioner was satisfied that the disclosure of this information would be an unwarranted disclosure of the woman’s affairs and that EEC’s actions in withholding it did not breach Principle 6.
Graham Greenleaf, General editor, summarised from the ,Commissioner’s case notes.