Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Consultation Paper 3 - Privacy Legislation in NSW; Submission to the NSW Law Reform Commission (October 2008)

Consultation Paper 3 – Privacy Legislation in NSW Submission to the NSW Law Reform Commission October 2009

pdfConsultation Paper 3 - Privacy Legislation in NSW; Submission to the NSW Law Reform Commission (October 2008)

Submission to the NSW Law Reform Commission

October 2008

Key Recommendations

The Office supports proposals made by the New South Wales Law Reform Commission that would promote national consistency in privacy regulation. This includes:

  • Proposal 1– Reforms of New South Wales privacy law should aim to achieve national consistency
  • Proposal 2 – New South Wales should co-operate with the Commonwealth in the development of privacy principles that are capable of application in all New South Wales privacy legislation.
  • Proposal 6 – All state owned corporations should be covered by privacy legislation.

The Office supports proposals to amend the relevant NSW legislation to clarify that the Privacy Act 1988 is the single source of obligation for privacy regulation in the private sector. This includes:

  • Proposal 3 – New South Wales legislation should only apply to the handling of personal information by public sector agencies.
  • Proposal 5 – The Health Records and Information Privacy Act 2002 should be amended so that the handling of health information by private sector organisations is regulated under the Privacy Act 1988 (Cth).

The Office considers that the overarching goal should be to achieve uniformity in privacy regulation across Commonwealth, state and territory jurisdictions. Where uniformity is not possible, at a minimum there should be consistency in privacy protections across all jurisdictions.

Overview

1. The Office appreciates the opportunity to make this submission to the New South Wales Law Reform Commission (NSWLRC) on Consultation Paper 3 titled ‘Privacy Legislation in New South Wales.’

2. The Office of the Privacy Commissioner (‘the Office’) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Privacy Commissioner has responsibilities under the Privacy Act and other federal legislation to regulate the way agencies and organisations collect, use, store and disclose individuals’ personal information.

3. In December 2007, the Office had the opportunity to provide a response to the Australian Law Reform Commission’s (ALRC) Review of Privacy, Discussion Paper (DP) 72.[1] This followed earlier submissions made to the ALRC on its Issues Papers 31 and 32.[2] A key theme of all three submissions is the central importance of achieving greater national consistency in privacy regulation.

4. The lack of consistency between federal and other jurisdictions, and the existence of separate standards for public and private sectors, introduce unnecessary complexity and uncertainty in privacy regulation.

5. The NSWLRC’s recommendation that reform of privacy laws in NSW should aim to achieve national uniformity is particularly welcomed.

6. The Office is also encouraged that the NSWLRC proposes the amendment of the Health Records and Information Privacy Act 2002 so that the handling of health information by private sector organisations is regulated under the Privacy Act 1988 (Cth) (‘the Privacy Act’). This aligns with the Office’s view that the Privacy Act should ‘cover the field' in regard to personal information privacy in the private sector.

7. The Office does not propose to provide an in-depth response to all of the technical issues raised in the NSWLRC’s Consultation Paper, including those that go to the functions and activities of the NSW Privacy Commissioner. In general though, the Office submits that the details of the NSW privacy principles, and related provisions, should be consistent with the federal Privacy Act 1988 (‘Privacy Act’) to the greatest extent possible.

8. In the Office’s view, privacy regulation will benefit from structural consistency as far as this is possible. This would help to promote common understanding of privacy regulation by all parties and would reduce the possibility of unintended inconsistency on matters of detail.

Structure of this submission

9. This submission follows the structure of Consultation Paper 3.

10. The focus of the Office’s comments is on those proposals and issues which are integral to the aim of achieving national consistency in privacy regulation.

11. Generally, this submission refers to the ‘model’ UPPs as recommended by the ALRC in its final report, For Your Information: Australian Privacy Law and Practice.[3] However, a number of the proposals or issues in the NSWLRC’s Consultation Paper 3 refer to specific UPPs as proposed in the ALRC’s Discussion Paper 72 (‘DP 72’). To avoid confusion, in such instances, the Office refers to UPPs enumerated in DP 72 as being ‘proposed’ UPPs.

CHAPTER 1 INTRODUCTION

Proposal 1– Reforms of New South Wales privacy law should aim to achieve national consistency

12. The Office supports proposal 1.

13. The proposal is consistent with the Office’s position in its submission to the ALRC’s DP72. A key theme in that submission is the central importance of achieving greater national consistency in privacy regulation. It was also a key theme in the Office’s review of the Private Sector Provisions of the Privacy Act in March 2005.[4]

14.Harmonising privacy regulations would:

  • reduce compliance difficulties for agencies and organisations
  • empower individuals to better understand and exercise their privacy rights and
  • help to promote clear and common understanding of privacy obligations across the community.

15. The Office considers that privacy protections in state and territory jurisdictions should be at least consistent with, and equivalent to, the Privacy Act 1988 (Cth) (‘the Privacy Act’). While consistency is desirable, the Office suggests that, where possible, uniformity in privacy regulation between jurisdictions is preferable.

Proposal 2 – New South Wales should co-operate with the Commonwealth in the development of privacy principles that are capable of application in all New South Wales privacy legislation.

16. The Office agrees with proposal 2.

17. The Office supports the development of a cooperative federal-state approach in which the proposed Uniform Privacy Principles (UPPs) would form the basis for privacy legislation at the state and territory level.

18. The ALRC has proposed, and the Office agrees, that this model be given effect through dialogue held within the Standing Committee of Attorneys-General.[5]

Proposal 3 – New South Wales legislation should only apply to the handling of personal information by public sector agencies.

19. The Office agrees with proposal 3.

20. This is discussed further below, in our comments on proposal 5 about the handling of health information by private sector organisations.

CHAPTER 4 ACHIEVING A CLEAR AND CONSISTENT LEGISLATIVE STRUCTURE

Proposal 5 – The Health Records and Information Privacy Act 2002 should be amended so that the handling of health information by private sector organisations is regulated under the Privacy Act 1988 (Cth).

21. The Office agrees with proposal 5.

22. The regulation of private sector health information by both federal and state privacy legislation results in overlap and inconsistency.

23. As an example of lack of consistency in legislation, NSW privacy legislation specifies the form of access that organisations must provide (such as a copy) when individuals access their health information.[6] In contrast, the Privacy Act does not stipulate the form of access that must be provided, only that access in some form is granted (NPP 6.1).

24. Private medical practitioners in NSW may therefore be bound by two different legislative standards regulating the same practices.

25. In this example, it is possible that an organisation could comply with NPP 6.1, but breach the Health Record and Information Privacy Act 2002 (NSW) while undertaking the same activity. If a complaint were lodged, it is possible that Privacy NSW could find a breach in an instance where the Office may not. Such confusion may lead to uncertainty and complexity, including raising complex questions of constitutional law.

26. This inconsistency is also a major obstacle to effective national developments in the health sector, such as electronic health records systems, which could facilitate the flow of health information across jurisdictional boundaries.

27. In its response to DP72, the Office submitted that section 3 of the Privacy Act should be amended to clarify that it ‘covers the field' in regard to personal information privacy in the private sector.[7] This would be particularly relevant in the area of private health service delivery.

CHAPTER 5 SCOPE OF PRIVACY PROTECTION

Issue 8

(a) Should the exemptions in any or all of the following provisions remain or are they made unnecessary by s 20(5) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 22(3) of the Health Records and Information Privacy Act 2002 (NSW) and Schedule 1 to the Freedom of Information Act 1989 (NSW):

  • s 4(3)(e) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(h) of the Health Records and Information Privacy Act 2002 (NSW);
  • s 4(3)(i) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(3)(l) of the Health Records and Information Privacy Act 2002 (NSW); and/or
  • s 4(3)(ja) of the Privacy and Personal Information Protection Act 1998 (NSW)?

(b) If any or all of the exemptions are to remain, should the information referred to in each provision be exempt from all the IPPs and HPPs or only some of them? Which, if any, IPPs and HPPs should apply to the information?

(c) If the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) are merged into one Act, how should the exemptions be worded if they are retained?

28. In its submission to the ALRC’s DP 72, the Office recommended that there should be minimal exemptions under the Privacy Act. This would promote effective protection of privacy rights while reducing regulatory fragmentation.[8]

29. The Office considers that to achieve consistency in the privacy regulation, exemptions to privacy laws in state and territory jurisdictions should also be minimised. Exemptions should only be established where there are clear and compelling public policy reasons for doing so.

Issue 18

(a) Should information contained in photographs or video images come within the definition of “personal information”?

(b) Should this depend on whether an individual’s identity is apparent or can reasonably be identified from the visual image?

(c) If the definition of “personal information” should include visual images, should this be clarified in the legislation?

(d) Should some of the IPPs, but not others, apply to visual images that contain personal information? If so, which ones should apply?

30. In response to elements (a) and (b) of this issue, the Office considers that the definition of ‘personal information’ should cover photographs or video images where the individual’s identity is apparent, or can reasonably be identified from the visual image.

31. The Office believes that this definition should be clarified in NSW legislation to remove any uncertainty as to whether ‘personal information’ covers visual images.

32. The Office submits that all of the privacy principles should apply to visual images where they meet the threshold tests of identifying an individual and being collected to a record. By way of contrast, live-streaming CCTV images, that are not recorded, are not currently covered by the Privacy Act.

Issue 19

(a) Should the meaning of the phrase “or can reasonably be ascertained from the information or opinion” in s 4(1) of the Privacy and Personal Information Protection Act 1998 (NSW) and s 5(1) of the Health Records and Information Privacy Act 2002 (NSW) be clarified?

(b) If so, should this be by an amendment to the legislation or should it be left to judicial construction or the publication of a Privacy Guideline?

33. In its response to DP 72, the Office agreed with the ALRC that the Privacy Act should define ‘personal information’ as: ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual’.[9]

34. The Office notes the proposed change from the Privacy Act’s current reference to ‘about an individual whose identity is apparent or can reasonably be ascertained, from the information or opinion’ to the ALRC’s proposed words: ‘about an identified or reasonably identifiable individual.’ The ALRC’s proposal appears to express essentially the same principle, but with greater clarity.

35. The ALRC has recommended that the meaning of the term ‘identified or reasonably identifiable’ be clarified through guidance material, rather than statutory explanation.[10] Such an explanation may require nuanced and careful elaboration that might not be given best effect through legislative drafting.

36. The Office therefore considers that to promote consistency in privacy regulation, the definition of ‘personal information’ in NSW privacy laws should be clarified in guidance material.

Issue 23 – If information is “unsolicited”, what IPPs or HPPs, if any, should apply to that information? Should all of the provisions of the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) apply to unsolicited information, except the collection IPPs and HPPs?

37. The Office considers that the NSW privacy principles should include a principle equivalent to proposed UPP 2.5. This is discussed further at issue 39, which specifically discussed proposed UPP 2.5, though it should also be noted that the ALRC has broadly reflected this principle in its final model UPP 2.4.

38. The approach taken by the ALRC in proposed UPP 2.5. is to provide that, if an agency or organisation receives unsolicited personal information it must either:

  • destroy the information without using or disclosing it; or
  • comply with all relevant provisions in the UPPs as if the agency or organisation had actively collected the information. [11]

39. By making it clear that the collection principle applies where an entity retains unsolicited personal information from a third party, this would require the entity to consider whether:

  • it can lawfully collect such information, and if so
  • it wishes to retain such information.

40.If the entity retains the information it would then need to comply with all relevant provisions in the UPPs. This includes, for example, informing the individual concerned that the collection has taken place and checking the accuracy of information obtained from third parties.

Proposal 6 – All state owned corporations should be covered by privacy legislation.

41. The Office agrees with proposal 6.

42. The NSWALRC recognises the disparity in the regulation of personal information held by state statutory corporations and private sector organisations.[12]

43. State and territory statutory corporations may also be at a competitive advantage over other private sector organisations in that they are exempt from privacy regulation.

44. In its submission to the ALRC’s Issues Paper 31, the Office noted that, when enacting the Privacy and Personal Information Protection Act 1998, the then NSW Attorney explained that:

The exemption for State-owned corporations was originally provided in the bill on the basis that to do otherwise would put State-owned corporations at a competitive disadvantage with the private sector. The Government has taken the view that State-owned corporations should be covered by privacy legislation only when the private sector is similarly covered.[13]

45. Significantly, he went on to state that:

When the Act evolves to include coverage of the private sector, State-owned corporations will be similarly covered by the information and privacy principles of the legislation.

46. While the NSW Act does not cover the private sector, the introduction of the NPPs in the Privacy Act in 2001 has created obligations for that sector, which are not shared by NSW statutory corporations. The Office does not believe that there is a public policy reason to support this inconsistency.

47. Accordingly, the Office proposed in its submission on the ALRC issues paper 31 that the Privacy Act should apply to state and territory statutory corporations except where equivalent privacy legislation has been made in the relevant jurisdiction.[14]

Proposal 7 – The Privacy and Personal Information Protection Act 1998 (NSW) should be amended to provide that where a public sector agency contracts with a non-government organisation to provide services for government, the non-government organisation should be contractually obliged to abide by the IPPs and any applicable code of practice in the same way as if the public sector agency itself were providing the services.

48. The Office agrees with proposal 7.

49. The Office has ongoing concerns that state or territory government contractors, who are otherwise private sector organisations, may not be bound by the Privacy Act or equivalent standards when performing functions under state or territory contracts.[15]

50. The Office recognises that, in passing the Privacy Amendment (Private Sector) Bill 2000, the Parliament intended that the acts and practices of state and territory government contractors ‘will not be covered by the Commonwealth's privacy scheme but rather the State or Territory's own privacy standards.’[16] The Parliamentary Bills Digest explains that ‘…the rationale being that such activities should be regulated at State or Territory level’.[17]

51. In its response to the ALRC’s DP 72, the Office recommended legislative amendments to ensure that state and territory contractors are bound by the Privacy Act or equivalent legislation.[18]

52. This could be achieved by all states and territories enacting privacy legislation for their agencies and contractors that is at least equivalent to the Privacy Act.

Issue 29 – If a statutory cause of action for invasion of privacy is to be enacted, what should be its relationship to the Privacy and Personal Information Protection Act 1998 (NSW)?

53. As discussed in its submission to the NSWLRC’s Consultation Paper 1, the Office supports the development of a statutory cause of action for invasion of privacy. [19] The Office also supported a statutory cause of action in its response to DP72.[20]

54. The Office encourages the ongoing collaboration between governments to propose a cause of action that could be uniformly applied across all jurisdictions to ensure consistency and promote certainty.

CHAPTER 6 THE PRIVACY PRINCIPLES

Issue 30 – Should IPP 1 be amended to include a provision that a public sector agency must not collect personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, sexual activities or criminal record (defined as “sensitive information”) unless the collection is strictly necessary?

55. The Office understands that the Privacy and Personal Information Protection Act 1998 (NSW) does not currently apply any additional restrictions to the collection of sensitive information beyond those which apply to all types of personal information.

56. Under the private sector provisions of the Privacy Act, an organisation must not collect sensitive information unless the individual consents or certain other conditions are met.[21] The Information Privacy Principles (Commonwealth) do not regulate the collection of sensitive information by agencies separately from other forms of personal information.

57. As stated in its response to the ALRC’s IP 31, the Office is of the view that sensitive information should be afforded consistently robust protections regardless of the stage of the process in which, or by whom, it is handled.[22]

58. Accordingly, the Office submits that the collection of sensitive information should be more strictly regulated in NSW privacy laws than is non-sensitive personal information. However, the Office considers that to promote national consistency, the privacy principle regulating collection of sensitive information should be equivalent to, and preferably uniform with, the relevant UPP.

59. The ALRC has recommended in model UPP 2.5[23] that an agency or organisation must not collect sensitive information about an individual unless certain conditions are met.[24] Generally, consent to the collection from the individual is required unless another exception applies. There is no restriction on the collection of sensitive information to that which is ‘strictly necessary’.

60. Further, the requirements for collection of sensitive information under model UPP 2.5 are additional to the other obligations in UPP 2 relating to the collection of all personal information. These obligations include, among other things, that an entity must not collect personal information unless it is necessary for one or more of its functions.

61. The Office is unsure how a distinction between ‘necessary’ and ‘strictly necessary’ could be applied and whether this could result in regulatory uncertainty and inconsistency.

62. As an amendment of the type suggested in issue 30 has the potential to introduce significant inconsistency in how federal and NSW law regulates the handling of sensitive personal information, the Office submits that it should not be pursued.

Issue 31 – Should collection of sensitive information be allowed if necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person?

63. The Office considers that collection of sensitive information should be allowed if necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person. This would be consistent with NPP 10.1 (c).

64. The ALRC has recommended in model UPP 2.5 (c) that collection of sensitive information would be permitted if it ‘is necessary to prevent or lessen a serious threat to the life or health of any individual, where the individual to whom the information concerns is legally or physically incapable of giving or communicating consent’.[25]

65.As discussed in its response to DP 72, the Office does not support the proposal to remove the requirement of ‘imminence’ from model UPP 2.5 (c).[26] A sole test of ‘serious threat’ may create ambiguity and be difficult to apply.

66. The requirement that a threat be both serious and imminent plays an important role in preventing individual’s privacy protections being reduced unless the circumstances give rise to an immediate and compelling need.

67. In its response to proposal 22-3 of DP 72, the Office discussed at length the importance of the co-tests of ‘serious and imminent’ for the purposes of authorising information handling practices without an individual’s consent.[27]

Proposal 8 – If the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) are merged, the provision governing collection of personal information directly from an individual should contain the two exceptions currently provided for in IPP 2 together with a third exception currently provided for in HPP 3, namely that information must be collected from the individual unless it is “unreasonable or impractical to do so”.

68. The ALRC has recommended in model UPP 2.3 that, “If it is reasonable and practicable to do so, an agency or organisation must collect personal information about an individual only from that individual.”[28] The Office supported this approach when it is proposed in the ALRC’s DP72.

69. In general, the Office considers that amendments to NSW privacy laws should be consistent, and preferably uniform, with any amendments to the Privacy Act. It is unclear whether regulatory inconsistencies would result from this proposal and the model UPP, though the Office notes that such inconsistencies can occur even where unintended.

Issue 36

(a) Should “use” and “disclosure” be treated as one concept such as “processing”, or as a combined phrase such as in the proposed UPP 5, with the one set of privacy standards and exemptions applying?

(b) Alternatively, should the same privacy standards, and exemptions from those standards, contained in the HPPs apply equally to “use” and “disclosure” of information?

70. The Office considers that ‘use’ and ‘disclosure’ should be treated as a combined phrase as in the proposed UPP 5, with one set of privacy standards and exemptions applying. The Office notes that the ALRC has proposed such an approach for model UPP 5.

71. In its submission to DP 72, the Office expressed the view that a single principle applying to how agencies and organisations use and disclose personal information would significantly reduce complexity in privacy regulation.[29]

72. As noted previously, the Office considers that, as far as possible, there should be structural consistency in privacy laws across jurisdictions. This would promote common understanding of privacy laws, enable compliance and would reduce the likelihood of unintended inconsistency on matters of detail.

Issue 38 – Do IPPs 10 and 11 and HPPs 10 and 11 apply to unsolicited information? If not, should they apply?

73. The Office considers that IPPs 10 and 11 and HPPs 10 and 11 - which regulate the use and disclosure of personal information - should apply to unsolicited information. This is discussed further at issue 39 below.

Issue 39 – Should the privacy principles include a principle in terms identical, or equivalent, to the proposed UPP 2.5?

74. The Office considers that the privacy principles should include a principle identical, or equivalent, to proposed UPP 2.5.[30] The Office notes that the ALRC has proposed a model UPP which is essentially identical to that proposed in its earlier discussion paper (model UPP 2.4).

75. Many agencies and organisations receive a large amount of unsolicited personal information. Frequently, such information is provided by third parties. In the Office’s view, the fact that the information is unsolicited should not mean that it falls outside of the protection of the privacy principles.

76. The Office considers that the inclusion of a principle at least equivalent to the ALRC’s proposed UPP 2.5 (or model UPP 2.4) in NSW privacy laws, is necessary to achieve national consistency in privacy regulation.

Issue 41 – Should disclosure of an individual’s criminal history and record be restricted under s 19 of the Privacy and Personal Information Protection Act 1998 (NSW)?

77. The Office supports such a restriction. This would be consistent with the approach taken in the Privacy Act.

78. Further, as the ALRC observes, criminal record information is highly personal and has the potential to give rise to unjustified discrimination against individuals.[31]


[2] These three submissions are available at http://www.privacy.gov.au/act/alrc/index.html.

[3] ALRC Report 108, available at: #Heading25

[4] Getting in on the Act: Review of the Private Sector Provisions of the Privacy Act, chapter 2, available at: http://www.austlii.gov.au/publications/submissions/alrc_72/PartA.html#ach52

[6] Health Record and Information Privacy Act 2002 (NSW), section 28.

[8] See Executive Summary, paragraph 17, available at: http://www.privacy.gov.au/publications/submissions/alrc_72/exec_summary.html

[10] See Recommendation 6-2, ALRC Report 108, For Your Information: Australian Privacy Law and Practice, available at: http://www.austlii.edu.au/au/other/alrc/publications/reports/108/_4.html#Heading25

[11] The Office notes that proposed UPP 2.5 in DP 72, is ‘model’ UPP 2.4 in the ALRC’s final report, Report 108, For Your Information: Australian Privacy Law and Practice, available at: http://www.austlii.edu.au/au/other/alrc/publications/reports/108/_4.html#Heading25

[12] Paragraph 5-80, NSWALRC Consultation Paper 3, Privacy Legislation in New South Wales, 2008.

[13] The Hon J Shaw Hansard extract, NSW Legislative Council, 25 November 1998 (article 46).http://gov.au/prod/parlment/hansart.nsf/8bd91bc90780f150ca256e630010302c/ca256d11000bd3aa4a2566e10083685e!OpenDocument.

[14] Paragraphs 46-52 at pp 169-172, available at

http://www.privacy.gov.au/publications/submissions/alrc/all.html#L17827.

[15] Privacy Act 1988 (Cth), s 7B(5).

[16] Privacy Amendment (Private Sector) Bill 2000 Explanatory Memorandum.

[22] See paragraph 4, chapter 4, available at: http://www.privacy.gov.au/publications/submissions/alrc/c4.doc

[23] For clarity, it should be noted that model UPP 2.5 is distinct from proposed UPP 2.5 discussed earlier in this submission. Proposed UPP 2.5 has taken the form of model UPP 2.4 in the ALRC’s final report.

[24] See model UPP 2.5, ALRC Report 108, For Your Information: Australian Privacy Law and Practice, at: http://www.astlii.edu.au/au/other/alrc/publications/reports/108/_4.html#Heading25

[25] Ibid.

[28] See model UPP 2.3, ALRC Report 108, For Your Information: Australian Privacy Law and Practice, at: http://www.austlii.edu.au/au/other/alrc/publications/reports/108/_4.html#Heading25

[30] As noted at Issue 23, proposed UPP 2.5 (‘model’ UPP 2.4) provides that if an agency or organisation receives unsolicited personal information it must either destroy the information without using or disclosing it; or comply with all relevant provisions in the UPPs as if the agency or organisation had actively collected the information.

[31] See ALRC Report 108, For Your Information: Australian Privacy Law and Practice, chapter 6, http://www.austlii.edu.au/au/other/alrc/publications/reports/108/6.html#Heading283