Privacy Law and Policy Reporter
The submission by Privacy NSW to the review of the State’s privacy legislation is one of the most comprehensive and critical analyses of the Act since its enactment. Anna Johnston was NSW Deputy Privacy Commissioner at the time of writing the submission.(General Editor)
The NSW Privacy and Personal Information Protection Act 1998 (the PPIP Act) is being reviewed five years after commencement, as is standard practice in NSW. The review is provided for in s.75 of the Act itself:
(1) The Minister is to review this Act to determine whether the policy objectives of the Act remain valid and whether the terms of the Act remain appropriate for securing those objectives.
The NSW Attorney General’s Department is conducting the review. At last count the Attorney General’s Department had received over 70 submissions to the review. A report of the outcome of the review must be tabled in Parliament by the Attorney General by 30 November 2004. However there is no obligation upon the government to follow any recommendations of the review.
The Privacy NSW response
Privacy NSW, the office of the NSW Privacy Commissioner, lodged a comprehensive submission , taking over 130 pages to outline our experience in administering the legislation, through our education, research, advice and complaints-handling functions.
The submission canvases why we have the PPIP Act, its genesis and objectives, whether the Act meets its objectives, and how it could be improved. The submission also reviews whether there is a continued need for privacy protection in the post-September 11 world, what is the appropriate role for a Privacy Commissioner, and where privacy should sit within the wider framework of information management laws such as FOI and records management.
This and a following article highlight Privacy NSW’s response to the self-posed question ‘Is the PPIP Act improving privacy protection?’through extracts  which focus on two areas of particular significance:
• the adequacy of the privacy standards in the PPIP Act – do they meet public expectations? are they flexible and appropriate?
• the adequacy of the enforcement mechanisms in the PPIP Act – are they effective? are they fair?
Public expectations and trust
What level of privacy protection is expected by the public? Has it changed since 1998?
Far from being the ‘death of privacy’, the few years since September 2001 has actually seen an increase in the volume of informal enquiries made to Privacy NSW, as well as rapid growth in the number of privacy complaints proceeding to the Administrative Decisions Tribunal for review. However these are not the only measures by which one can assess the state of public expectations or concerns about privacy.
Surveys conducted by the Office of the Federal Privacy Commissioner in 2001 indicated that 68% of Australians regard the use of their personal information for a purpose other than that for which it was originally intended as a breach of their privacy, while around 90% of Australians believe it is important that they know how their personal information might be used by the organisation collecting it, as well as to whom else it might be disclosed. The survey also suggested that 42% of Australians have refused to deal with organisations they felt did not adequately protect their privacy .
In the last Australian census, also conducted in 2001, there was a question about whether or not each person consented to the government keeping their individually identified census form and releasing it in 99 years, rather than having it pulped as soon as the statistical data was collected, as has been the practice before. Almost half of all Australians take their privacy so seriously that they refused to let the government keep their census forms for 99 years. It is interesting to note that the response rate differs across the population, according to both age and ethnicity. Less than 40% of people born in England said ‘no’, but almost 60% of those born in Vietnam said ‘no’. The ‘no’ response rate also increased with the age of the respondent, with the exception of the 0-5 years old group.
A more recent survey , which compared Australians’ attitudes and expectations about privacy with people in four other countries, suggests that Australians in general place greater store in the protection of privacy, and are less likely to want their privacy to be traded off for other interests. The 2003 survey found Australians less likely than the total sample to agree that identity cards are necessary to main national security, or help to guard against either terrorism or illegal immigration . Australians were also more likely to see identity cards as an infringement on their personal liberty, and to be unwilling to trade-off privacy for convenient services.
The same survey suggests that 93% of Australians, compared with 86% of the total sample across five countries, believe that the law should protect the privacy of consumers online. Furthermore the majority of Australians, at even higher rates than their counterparts in the other countries surveyed, are more likely to shop online if consent is required to the disclosure of their personal information (86% agree), and would be even more comfortable about conducting transactions online if vendors were required by law to notify their customers of any breach of security that could compromise their personal information (92%). Almost 80% of Australians believe that privacy laws help to make e-commerce safer.
These results have implications for the Government as it seeks to increasingly conduct government business online, through such projects as Health e-Link and the Government Licensing System.
Indeed the link between a prosperous economy and a government that inspires confidence and trust has been confirmed by the Australian Treasurer and the Productivity Commission .
Yet public expectations about what constitutes a ‘breach of privacy’ may not always be reflected in the law. For example of all the matters which proceeded to internal review in 2002-03, in 70% of cases the conduct complained of was found to have occurred, yet in only 18% of cases was the conduct found to have been in breach of the information protection principles without lawful excuse . This suggests that many complainants’ expectations about how the law is supposed to protect their privacy is not being met by the PPIP Act.
In short, the PPIP Act provides a lower level of privacy protection than people often think it does.
The adequacy of the law
From the perspective of Privacy NSW, the PPIP Act has many loopholes and gaps.
Particularly concerning are exemptions which have the potential to undermine, rather than merely modify, the protection supposed to be afforded under the Act. Furthermore the essentially adversarial nature of the model of complaints-resolution introduced in the PPIP Act provides an incentive for government agencies to ensure that each one of these exemptions is pushed to its limit, rather than construed narrowly.
The ease with which the privacy protection afforded by Parliament the PPIP Act may be overridden by the government of the day through subordinate legislation and other statutory instruments has ensured that the level of privacy protection is a moveable feast, but only moving in one direction – away from the highest standards of privacy protection.
Furthermore the PPIP Act has itself been amended without any consultation with the Privacy Commissioner , as has the PPIP Regulation . These amendments have provided further exemptions from the privacy protections afforded by the Act, and diminished the accessibility of an enforceable remedy for people who suffer breaches of the legislated standards.
In short, the PPIP Act provides less privacy protection now than it did on the day it fully commenced, 1 July 2000.
Flexibility of the IPPs
The PPIP Act is an instance of principle based legislation being applied in a legal system which is more familiar with applying legal rules . Principle based legislation requires an approach to interpretation which treats the principles as a reference point and guide to seeking particular outcomes but recognises that they can not be imposed absolutely and that their application may need to take into account other principles. The application of legal rules requires a much closer fit between conduct and the rules governing it.
Yet the drafting of the PPIP Act does not consistently reflect the principle based approach inspiring the legislation. The difficulties this creates for interpretation extend to the arrangement and substantive provisions of the Act itself, as many of the exemptions which are necessary to the practical operation of the Act are expressed in a rule based form. Defining the scope of the information protection principles is also affected by the enforcement process under the Act, which unlike similar legislation in other jurisdictions, gives the Tribunal a primary enforcement function and accords a more limited role for the statutory privacy authority.
The drafting of a mandatory ‘principle’ is thus a difficult task. In effect, the IPPs contain a mix of both:
• core privacy principles, and
• the prescriptive mechanisms by which each principle is to be obtained.
For example, the core privacy principle of ‘collection limitation’ is described in the OECD Guidelines as:
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
In practice, under the NSW law, this core privacy principle is to be achieved by complying with IPPs 1-4. Taking just one of the IPPs as an example, IPP 2 states:
A public sector agency must, in collecting personal information, collect the information directly from the individual to whom the information relates unless:
(a) the individual has authorised collection of the information from someone else, or
(b) in the case of information relating to a person who is under the age of 16 years---the information has been provided by a parent or guardian of the person.
That is, IPP 2 allows certain things (the collection of information about a person aged under 16 from their parent or guardian) and prohibits others (the collection of information about a person aged under 16 from other sources without their authorisation; the collection of information about a person aged 16 or older from any other source without their authorisation).
In this sense, the ‘collection limitation’ principle is to be achieved by following a very specific mechanism for collection of personal information, which allows certain things and prohibits others.
It is our submission that while the core privacy principles are sound, the mechanisms by which those principles are expected to be achieved can sometimes be too rigid.
Privacy is a right that affects how individuals interact with organisations, and in that sense is about regulating relationships. This is a complex task to achieve - covering the full spectrum of citizen to government interactions in 12 sections.
Information privacy laws are not one-way or passive laws; they assume some level of responsibility on the citizen to participate in the protection of their privacy. They create a citizen-focussed framework, in which the citizen is expected to give or refuse consent to how their personal information will be collected, used or disclosed. The law therefore assumes that all people are equally capable of exercising their privacy rights within this framework.
Yet the law is a blunt instrument, and often cannot take account of the realities of people’s lives. IPP 2 for example does not explain:
• how to obtain ‘authorisation’ from a person aged 16 or older to collect information from someone else, if that person has limited or no capacity to provide or refuse an authorisation
• whether or in what circumstances people aged under 16 should be dealt with directly instead of through their parent or guardian
• how to obtain ‘authorisation’ from a person aged under 16 to collect information from someone other than their parent or guardian
The first issue identified above - that of adults with limited or no capacity to make decisions regarding their personal information – has therefore proven particularly challenging for public sector agencies in understanding and applying their obligations under the PPIP Act.
To note that there has been difficulty in complying with the letter of law in terms of the mechanisms is not to suggest that the core principles themselves are unsound. Privacy NSW has therefore been particularly concerned to ensure that the solution to these challenges is not the creation of wholesale exemptions from the principles themselves. We would prefer to see solutions that ensure the core privacy standards are achieved, not diminished.
For example we have recently published a best practice guide: Privacy and people with decision-making disabilities, which attempts to provide more flexible mechanisms in which to achieve the core privacy principle at issue . The guide was prepared to assist NSW public sector agencies to apply the IPPs in a manner that protects and promotes, to the greatest extent possible, the privacy of adults with a decision-making disability.
Privacy NSW would support amendments to the PPIP Act to enable this type of solution to have equal footing with the IPPs themselves.
This type of flexibility is already a feature of other privacy law in NSW, namely under the Health Records & Information Privacy Act 2002, which allows the Privacy Commissioner to make statutory guidelines which then form part of the enforceable privacy principles .
Exemptions to the IPPs
Part 3.1.2 of the submission examines the various exemptions to the IPPs. Of particular concern are the exemptions to the definition of ‘personal information’ itself (see section 4(3) in the Act). It is our submission that while a case could be argued for excluding most of the categories of information covered by these exemptions from the operation of one or more of the IPPs, specific exemptions from the relevant IPPs would be preferable to the current situation, which takes these categories outside the scope of the Act altogether.
The public availability exemption
Information about a person collected from a publicly available publication is a category of information that might be considered reasonable and appropriate to exclude from the normal prohibition in IPP 2 on collection of personal information other than from the person themselves. However the current drafting of section 4(3)(b) allows such information to be used or disclosed in ways which would be considered corrupt and be subject to the criminal offence provisions of the Act, were if not for the exemption.
When the potential scope of this exemption is considered and taken to its logical conclusion , the object of the Act itself – an Act to provide for the protection of personal information and for the protection of the privacy of individuals generally – is effectively undermined.
The collection, use and disclosure of information about a person from publicly available sources or from the ‘public domain’ can still have considerable privacy impacts. For example the discredited techniques of the former Special Branch of the NSW Police relied greatly on the creation of dossiers of material collected from publicly available sources such as press clippings.
The risk of inaccurate information, or accurate information being misinterpreted or taken out of context, has only increased since the days of paper files. The power of the internet search engine should prompt a re-examination of exemptions relating to the collection, use and disclosure of information about a person from publicly available publications.
Most of us make distinctions between what we share with our partners or close friends, and what we share with a neighbour over the fence; or what we would tell our doctor compared to what we might tell our employer. Privacy is about respecting these choices; allowing each person some control over who knows what about them. In this sense, privacy is about our ability to define who we are, our very identity, and how we are perceived by others.
If we take seriously the proposition that the IPPs are about protecting informational privacy by putting the control of information about a person back into that person’s hands, it must be accepted that context is everything.
Of further concern is the fact that, combined with the exemption for disclosures to an agency’s minister or the Premier under section 28(3) of the PPIP Act, section 4(3)(b) allows ‘information laundering’ to occur.
The employee exemption
Likewise the employment context is one in which many and varied privacy issues arise, given the personal information likely to be held about employees – details of their bank accounts and tax file number, records of sick leave, personal contact details, applications for employment, transfer or promotion, disciplinary information, criminal record or service checks, reference checks, health checks and so on. Not surprisingly, employees as a class commonly appear as complainants or internal review applicants. However the impact of section 4(3)(j) has effectively been to deny privacy protection to employees of government agencies for much of their personal information.
The ‘other laws’ exemption
We also have concerns about some of the exemptions in Part 2 of the Act. For example section 25 provides an exceptionally broad exemption, as it effectively allows agencies to rely on even the hint of non-compliance under another Act or regulation to justify their non-compliance with almost all of the privacy principles. This has the effect of subordinating a privacy law intended to confer general rights and have general application, to laws limited to specific situations in a way which undermines public expectations and produces wide ranging uncertainty.
We argue that this exemption should be narrowed to a provision similar to that in the Victorian legislation, which gives priority to other legislation only in cases of express inconsistency.
The ministerial briefing exemption
Members of Parliament are exempt from the PPIP Act, and so once personal information is in the hands of a minister or the Premier, its use or disclosure is not subject to the scrutiny of privacy law. This situation is not in question in the submission, although it is worth noting that by contrast, the Federal Privacy Act covers ministers within the definition of ‘agency’.
Nor is it under question that ministers and agencies within their portfolio must be able to freely discuss matters of importance for decision-making at both ministerial and departmental level.
However a reasonable person might assume that one of the objectives of privacy law is to prevent personal information, held in trust by government agencies, from being made available to a wider class of people not subject to that privacy law (such as ministers or MPs) except where necessary, so as to limit the possibility of such information being collected, used or disclosed in an inappropriate manner.
Yet section 28(3)(b) of the PPIP Act allows any disclosure of any personal information by any public sector agency to the Premier for any reason whatsoever. There is no justification for the breadth of this provision.
The impact of section 28(3)(b) is that privacy law does not stand in the way of the Premier of NSW obtaining the medical records of the Leader of the Opposition or those of his family members, or the criminal history of a powerful media figure, or alcohol counselling notes about a senior public servant .
We argue that the exemption in section 28(3) should be narrowed in scope such as to allow proper briefings from public sector agencies to their respective ministers to continue, and possibly even expanded to clarify an agency’s obligations when handling ministerial correspondence on behalf of their minister, while also protecting the privacy of personal information held by those agencies. l
Part 2 of this article, concerning enforcement mechanisms, will appear in the next issue of PLPR
Anna Johnston, is Director, Privacy & Information Management Consulting, Salinger & Co
 The full submission is available on the Privacy NSW website, at www.lawlink.nsw.gov.au/privacynsw
 The remainder of this article is extracts from the submission itself, with only minor amendments to clarify cross-references where necessary.
 Office of the Federal Privacy Commissioner, “The results of research into community, business and government attitudes towards privacy in Australia”, 31 July 2001, available at www.privacy.gov.au
 Drs Milagros (Millie) Rivera Sanchez, Hichang Cho and Sun Sun Lim, from the Information and Communication Management Programme at the National University of Singapore, conducted the research, which was funded by NUS’s Faculty of Arts and Social Sciences. The survey was carried out across five countries by AC Nielson in May 2003: Australia, Singapore, South Korea, the United States and India.
 The comments made here reflect the author’s analysis of the raw data provided by the NUS research team to Privacy NSW and the Office of the Federal Privacy Commissioner.
 Peter Costello, “Building social capital”, speech to the Sydney Institute, 16 July 2003. The Treasurer suggested that “trust facilitates compliance (and) enhances efficiency”.
 See pp 27-30 of the Privacy NSW 2002-03 Annual Report.
 See section 25 of the PPIP Act in relation to other laws, section 29 in relation to the ability of the Attorney General to provide exemptions through codes, and section 41 in relation to the ability of the Privacy Commissioner to provide exemptions through public interest directions.
 The Privacy and Personal Information Protection Amendment (Prisoners) Act 2002 withdrew the ability for prisoners, their family members and associates from seeking compensation for any breach of their privacy. Privacy NSW was not consulted about this amendment.
 The Privacy and Personal Information Protection Regulation 2000 was amended in December 2003 to exempt the Attorney General’s Department from the public register provisions in relation to the register of JPs. Privacy NSW was not consulted about, or notified of, this amendment.
 For the distinction between principles and rules see generally G Dworkin, Taking Rights Seriously, Harvard University Press, Cambridge Mass 1977, Chapter 2 “The Model of Rules 1”. See also E Riedel, “Standards and Sources. Farewell to the Exclusivity of the Sources Triad in International Law?” European Journal of International Law (1991) Vol 2(2) : 58 at pp 74,78, downloaded from http://www.ejil.org/journal/Vol2/No2/art3.html
 See http://www.lawlink.nsw.gov.au/pc.nsf/pages/bpg_disability
 The guidelines made under the HRIP Act are about the mechanisms rather than the core principles themselves – for example, the mechanisms to be used to assess whether or not health information can be disclosed for research purposes. See HPPs 3, 4, 10 and 11.
 Even taking the view that ‘publicly available publication’ only includes such mass publications as newspapers and the White Pages telephone directory, this could take many people’s name, date of birth, home address and home telephone number out of reach of the Act.
 The excision of ‘health information’ from the PPIP Act when the HRIP Act commences will not alter this situation, because the same exemption is replicated in the new HRIP Act