Privacy Law and Policy Reporter
This new PLPR column will provide a regular round-up of recent legislative and policy developments in the Australian States and Territories. Other news is covered in ‘Private Parts’. This opening column summarises the current position in each State and Territory. (Associate Editor).
New South Wales
Privacy NSW – running on empty?
John Dickie’s appointment as Acting Privacy Commissioner has been extended pending the appointment of a new full time Commissioner, at the expense of the positions of Deputy Commissioner and Senior Policy Officer. As Mr Dickie remains only part time, the resources of Privacy NSW are currently significantly reduced, and will effectively remain so even after a new Commissioner takes office, as he or she cannot realistically be expected to make up for the loss of two experienced officers.
One last significant contribution by the two recently departing senior staff (see Private Parts in (2004) 11 PLPR 28) was a substantial submission the NSW Attorney-General’s Department’s Review of the Privacy and Personal Information Protection Act 1998 (PPIPA), which is available on the Privacy NSW website . A further Privacy NSW staff member, Siobhan Jenner, has also now left to take a position with the Federal Privacy Commissioner.
Workplace surveillance Bill limited
The NSW Government issued an exposure draft of a Workplace Surveillance Bill in June, inviting submissions by 4 August. The Bill would replace the current Workplace Video Surveillance Act 1998 with a broader more technology-neutral regime. While this was expected to be a welcome development, the Australian Privacy Foundation has submitted that it has major flaws . While the Bill generally requires a magistrates authority for covert surveillance, it undermines this with an exception where surveillance is necessary (in the employer’s view) for ‘the security of the workplace or persons in it’. The Bill also fails to provide any regulation of overt or notified surveillance, beyond the threshold test of it being notified to employees. Most overt surveillance in NSW workplaces would remain wholly unregulated after the passage of this Bill – records of surveillance not even being subject to normal privacy principles due to the exemptions relating to employee records in both the federal Privacy Act and NSW PPIPA. This despite the significant a rising levels of enquiries and complaints about overt surveillance to Privacy NSW, and despite the recommendations of the NSW Law Reform Commission for binding principles.
The Privacy Foundation also point out that the Bill offers no protection against surveillance of employees outside the workplace and outside work hours – precisely the most objectionable form of employer surveillance. A further flaw is the reliance exclusively on criminal sanctions rather than taking advantage of the civil remedies available through the Privacy Commissioner and the Administrative Decisions Tribunal under PPIPA. The criminal sanctions in the current Workplace Video Surveillance Act have not been effective, with no prosecutions in five years, despite evidence of abuse.
There have been no recent major developments in Victoria, with the Privacy Commissioner and Health Services Commissioner continuing to bed down their roles under, respectively, the Information Privacy Act 2000 (IPA) and Health Records Act 2001(HRA)
Privacy Victoria has established a new secure on-line complaints facility, and published the first case studies of complaints conciliated under the IPA . (See ‘Cases + Complaints’ in this issue)
The Victorian Health Services Commissioner has concentrated on issuing guidance for those affected by the HRA which came into full effect in July 2002. Unusually, the Commissioner publishes detailed quarterly as well as annual Reports. Her latest quarterly report – for Jan-March 2004 records 53 new HRA complaints and 392 telephone enquiries. This compares with 69 and 466 for the previous quarter and 38 and 536 for the quarter before that. Almost half the complaints in the latest quarter, and more than 100 enquiries in all three quarters of 2003-4 to date (more than 200 in the first qtr) concerned access or correction. A small but rising number of enquiries are referred to the federal Privacy Commissioner, perhaps reflecting the continued confusion over health privacy jurisdiction. The Commissioner’s complaints reporting includes a ‘seriousness’ rating. 42% of HRA complaints were considered ‘medium’ seriousness in the latest (3rd) quarter compared to 29% in the previous quarter, although there were no ‘high’ seriousness complaints compared to 5 (8%) in 2nd qtr.
The Victorian Law Reform Commission’s Workplace Privacy reference continues but there has been no new material since the 2002 Issues Paper. Consultation on this paper included forums in late 2003, and an Options Paper is expected soon .
The Queensland government declined to adopt the recommendations of a Parliamentary Committee in 1998 for privacy legislation. Instead, most Queensland government agencies have since 2001 been under administrative instructions to follow Information Standard 42 which comprise a set of principles, and supporting guidelines, based on the Commonwealth Privacy Act public sector IPPs . However Queensland Health (but not other health related agencies such as the ambulance service and disability services) have had to comply instead with Information Standard 42a Principles and Guidelines which are based on the federal private sector NPPs, although still with some of the features of the IPPs. There is no central enforcement mechanism or facility for handling complaints about breaches of the Information Standards.
Additional Guidelines on the disclosure of personal information to Members of Parliament and their staff acting on behalf of constituents have been issued under IS 42 and will be incorporated into it at its next revision, due in December 2004.
Police digital radio
The other initiative to have generated a privacy debate is the Inquiry by the Crime and Misconduct Commission into the proposed introduction of a digital radio system by Queensland Police . Because digital radio is encrypted, this would prevent third parties from listening in to Police operational communications. While this is obviously a benefit from a privacy perspective, it reduces the accountability of the police, and the media in particular are strongly opposed. The Commission invited submissions and has held public hearings. A submission from the Australian Privacy Foundation welcomed the greater privacy protection but accepted the need for compensating accountability arrangements, while the civil liberties interests on this occasion parted company – arguing on balance for openness on accountability, even at the expense of the privacy of individuals mentioned in police communications. It will be interesting to see how the Commission seeks to resolve these competing interests.
Western Australia has neither administrative directions nor privacy legislation at present. In May 2003, the government released a discussion paper and policy research paper proposing the introduction of privacy laws and establishment of an independent Office of Privacy and Information Commissioner. On 21 October 2003, the Attorney-General confirmed in Parliament that Cabinet had since decided to merge the proposed position of Information and Privacy Commissioner into the existing role of the Ombudsman. The Attorney-General indicated legislation would be introduced in 2004. The Office of Information Commissioner currently still exists with an Acting Commissioner .
More Clayton’s IPPs
South Australia introduced a set of state Information Privacy Principles by means of a Cabinet Administrative Instruction first introduced in 1989 but re-issued in July 1992 . This Instruction applies to state, but not local, government in South Australia. More recently, the government has introduced a Citizens’ Rights to Information Charter which commits to “open, honest and accountable government, and to protect citizens’ rights without breaching the principles of personal privacy”.
In December 2001, the SA Department of Human Services adopted a Code of Fair Information Practice based on the private sector NPPs in the federal Privacy Act.
Complaints but no results
SA has a Privacy Committee, first established by proclamation in 1989. Its role has variously encompassed complaint handling and advice to government but it has never had a very high profile – it took great perseverance to find the Committee’s Annual Reports on the State Records website . In 2002-03 the Committee received 29 written complaints – up from less than ten a year in previous years. It also received more than 430 telephone calls – while 56% were about the effect of federal privacy law, the remaining 44% concerned actions of SA government agencies. The Committee is thought to have presented a paper to the SA government on options for privacy legislation but there is no reference to this in the Annual Reports (for 2001-02 and 02-03) available on the website.
TasmaniaTasmanian government agencies operate under administrative guidelines, based on the Commonwealth public sector IPPs, first issued in 1997 and re-issued in May 2000 .
In November 2001, the government released a Tasmanian Information Privacy Legislation issues paper and draft Tasmanian Information Privacy Principles for public comment . On 9 June 2004, the Attorney-General confirmed in Parliament that a draft bill was still being finalised by the Department of Justice and Department of Premier and Cabinet. The bill will apply mandatory requirements to state and local government and will be compatible with the Commonwealth Government’s private sector NPPs.
Australian Capital Territory
ACT government agencies have been subject since 1988 to the Federal public sector IPPs – since the mid 90s under a statutory arrangement whereby the Privacy Act 1988 applies as if it had been enacted separately for the ACT. The Federal Privacy Commissioner acts as the ACT Commissioner with the same range of functions and powers as she has in relation to Commonwealth agencies.
The ACT was the pioneer in enacting separate health privacy legislation with the Health Records (Privacy and Access) Act 1997, which applies to both public and private sector users of health information in the ACT, supervised by the Community and Health Services Complaints Commissioner .
More recently, the ACT Legislative Assembly has led the way again with its statutory Bill of Rights. The Human Rights Act 2004 includes s12 providing protection for privacy and reputation, based on the wording in international human rights instruments. This only provides those subject to ACT laws with a basis for arguing for interpretations of ACT laws consistent with the privacy right in s12 as far as possible (s30), and allows the Supreme Court to make a ‘declaration of incompatibility’ (s32) where laws are not so consistent in order to inform the legislature of this. The meaning of privacy in s12 is not restricted to the narrow information privacy rights conferred by the federal Privacy Act and ACT Health Records Act, but is equivalent to that in Article 17 of the International Covenant on Civil and Political Rights. The Act allows the Attorney-General and the Human Rights Commissioner to intervene in proceedings which involve the application of the Act (s36). The Act does not therefore do anything like creating a right of privacy, but its operation will be interesting to observe.
The NT Information Act 2002 became enforceable against NT agencies on 1 July 2004, although local authorities have been given another year. Information Commissioner Peter Shoyer has spent the last two years preparing the NT public service and community for the introduction of the enforceable regime . He is also seeking feedback on experience with the Act to date. The Commissioner’s web site provides for the reporting of decisions and case studies, but there are none to date due to the short time since enforceability commenced..
The Victorian Commissioner, and to a lesser extent Privacy NSW have continued to make selective submissions to national enquiries and consultations – often making an important contribution on issues which the federal Commissioner might have been expected to take the lead. Recent examples include the federal review of the employee records exemption, proposed changes to the Telecommunications (Interception) Act and the Australian Communications Authority’s consultation on mobile phone location.
This activity illustrates the generic issue of how the privacy regulators in the different Australian jurisdictions cooperate, with an underlying question as to whether they can necessarily be expected to always agree on issues. There is clearly a recognition that with limited resources it makes sense to avoid unnecessary duplication, while also recognising that Commissioners will sometimes have a distinctive perspective. The Commissioners continue to meet periodically in the PANZA forum (originally Privacy Agencies of New Zealand and Australia, although the Hong Kong Commissioner and observers from other regional jurisdictions now routinely attend).
All URLs in footnotes accessed 13-15 August 2004
 NSW Law Reform Commission Report 98, Surveillance: An Interim Report, June 2002
 See http://www.privacy.vic.gov.au
 See http://www.health.vic.gov.au/hsc/
 See http://www.lawreform.vic.gov.au/
 See http://www.iie.qld.gov.au/site/informationstandards/current.asp
 See http://www.transport.qld.gov.au/qt/LTASinfo.nsf/index/NQDL_information_kit
 See http://www.stopidcard.com/
 See http://www.cmc.qld.gov.au/PRC_INQUIRY.html
 See http://www.foi.wa.gov.au/
 See http://www.premcab.sa.gov.au/pdf/circulars/Privacy.pdf
 See http://www.archives.sa.gov.au/files/privacy_annualreport_02-03.pdf
 See http://www.go.tas.gov.au/standards/privacy/privacy.htm
 See http://www.go.tas.gov.au/standards/privacy/privacylegislat_nov01.htm
 See http://www.healthcomplaints.act.gov.au/c/hcc
 See http://www.infocomm.nt.gov.au/