Privacy Law and Policy Reporter
Graham Greenleaf and Lee Bygrave
Tasmania’s new data protection legislation for the State public sector, the Personal Information Protection Act 2004 was assented to in December 2004 but it is not yet in force. The Tasmanian Government projects a commencement date of 5 September 2005 . The Act provides (in Schedule 1) for a set of 10 Personal Information Protection Principles (PIPPs) to govern processing of personal information, which must be complied with (s. 17(1)) by so-called “personal information custodians”.
Scope and exemptions
The Act applies to “personal information custodians” (defined in s. 3) including state government agencies, statutory boards and government business enterprises, the University of Tasmania, as well as local councils and any other organisation or person who has entered into a “personal information contract” (defined in s. 3 as a contract between a personal information custodian and another person relating to the collection, use or storage of personal information).
There are numerous exemptions or potential exemptions from the Act, including the following:
• The Act does not apply to public information (s. 8) defined to mean information that is “(a) contained in a publicly available record or publication’; or (b) taken to be public information under any Act” (s. 3). It is likely that (a) would not stop collection principles applying before the information was first collected for inclusion in a publicly available record or publication.
• The collection principles do not apply to the collection of unsolicited information (s. 11).
• The Act has only limited application to “basic personal information”, defined to mean “the name, residential address, postal address, date of birth and gender of an individual” s. 3). Such information may be used, or disclosed to another public sector body, without consent, where “reasonably necessary for the efficient storage and use of that information” (s.12).
• There are exemptions from certain of the PIPPs with respect to employee information (s. 10).
• Courts and tribunals are exempt (s. 7).
• A personal information custodian may seek exemption from the PIPPs, with the Minister for Justice and Industrial Relations having competence for determining such applications.
The PIPPs approximate the NPPs in the Privacy Act 1988, though some influences from Victorian and NSW legislation are discernible. Some of the terminology – as indicated above – is unique (viz., e.g., “personal information custodian”), albeit cumbersome and unnecessarily difficult to map onto more commonly used terminology in the equivalent legislation of other jurisdictions. The PIPPs by and large share the strengths and weaknesses of the NPPs in the federal Privacy Act 1988,.
Procedural and enforcement mechanisms
The Act does not establish a Privacy Commissioner but relies on the existing Ombudsman scheme to manage complaints. The Ombudsman is an independent statutory officer so the scheme has more independence from government than the non-statutory schemes in South Australia and Queensland. The Ombudsman may only make give advice and make recommendations upon finding a breach of the PIPPs (s. 22). These recommendations must be tabled in Parliament within five sitting days of receipt (s. 22(3)). This might place some pressure on agencies to resolve complaints for fear of adverse publicity. The Act does not provide data subjects with a means for obtaining a decision compelling compliance with the PIPPs. There is no avenue for enforcement of the PIPPs through the courts or an administrative decisions tribunal, unlike in the Commonwealth, NSW, Victoria and the Northern Territory. In terms of formal enforcement provisions, this is the weakest privacy legislation enacted in Australia for twenty years. Whether the Ombudsman can make it effective, and verifiably so, remains to be seen.
There is some other relevant legislation benefiting privacy protection in Tasmania, but it is insufficient in itself to compensate for the limitations of the Personal Information Protection Act 2004. The legislation includes: Telecommunications (Interception) Tasmania Act 1999; Listening Devices Act 1991 and Listening Devices Regulations 1992; Freedom of Information Act 1991 (providing enforceable rights of access and correction of public sector records); Archives Act 1983; and Annulled Convictions Act 2003 (on spent convictions).
Graham Greenleaf is Professor of Law at University of New South Wales, and General Editor of PLPR. Lee Bygrave is Associate Professor, Faculty of Law, University of Oslo, Norway.
 The Act is on the Tasmanian EnAct website at <http://www.thelaw.tas.gov.au/tocview/index.w3p;cond=all;doc_id=46%2B%2B2004%2BAT%40EN%2BSESSIONAL;histon=;prompt=;rec=;term=> See <http://www.go.tas.gov.au/standards/privacy/personal_information_protection.htm>