08 Apr 2009
A step closer to uniform privacy laws?
by Alison Tibell
If the NSWLRC's proposals translate into recommendations and are accepted by the NSW Government, then we may be one step closer to uniform privacy laws in Australia.
Late last year the Commonwealth Office of the Privacy Commissioner released its submission to the New South Wales Law Reform Commission ("NSWLRC") in relation to the review by the NSWLRC into privacy legislation in NSW. The Commissioner supported a number of the proposals made by the NSWLRC in its Consultation Paper on privacy law reform in NSW. This article briefly considers the main proposals from the Commissioner to harmonise State and Territory privacy laws with Federal legislation.
The key theme in the submissions made by the Commissioner was the importance of achieving greater national consistency in privacy regulation. The Commissioner considered that the goal of privacy law in Australia should be to achieve uniformity in privacy regulation across Commonwealth, State and Territory jurisdictions and that, at a minimum, there should be consistency in privacy protections across all jurisdictions. The Commissioner particularly welcomed the NSWLRC's proposal that privacy law reform in NSW should aim to achieve national uniformity.
A number of the key areas for reform discussed in the Commissioner's submission were the improvement of the regulation of health and information privacy and also the sometimes confusing distinction between the regulation of public and private sectors in privacy law. The Commissioner supported the proposals that would promote national consistency in privacy regulation and to amend the relevant NSW legislation to clarify that the Privacy Act 1988 (Cth) is the single source of obligation for privacy regulation within the private sector.
Overview of submissions
The Commissioner supported the following proposals from the NSWLRC's consultation paper.
- Proposal 1 - Reforms of New South Wales privacy law should aim to achieve national consistency.
The current position is that there is significant inconsistency across federal, State and Territory laws, particularly in the regulation of personal information and health information.
- Proposal 2 - New South Wales should co-operate with the Commonwealth in the development of privacy principles that are capable of application in all New South Wales privacy legislation.
The Commissioner supported the development of a cooperative federal-state approach pursuant to which the proposed Uniform Privacy Principles ("UPPs") would comprise the basis for privacy legislation at a State level. Currently there are separate Health Privacy Principles in New South Wales and other States and Territories. If uniform principles could be adopted across Australia, this would eliminate the need to be aware of and comply with separate principles over different jurisdictions
- Proposal 3 - New South Wales legislation should only apply to the handling of personal information by public sector agencies.
The current position is that both the Privacy Act 1988 (Cth) and the Health Records and Information Privacy Act 2002 (NSW) ("HRIPA") regulate both private and public sector organisations. This proposal would result in the exemption from HRIPA of private sector health agencies and would minimise inconsistencies between federal and New South Wales regulation.
- Proposal 5 - The Health Records and Information Privacy Act 2002 (NSW) should be amended so that the handling of health information by private sector organisations is regulated under the Privacy Act 1988 (Cth).
The current position is that New South Wales privacy legislation specifies the form of access that organisations must provide (such as a copy) when individuals access their health information. In contrast, the Commonwealth Privacy Act does not stipulate the form of access that must be provided, only that access in some form is granted.
As a result, private medical practitioners in New South Wales may therefore be bound by two different legislative standards regulating the same practices resulting in inconsistency and confusion.
- Proposal 6 - All state owned corporations should be covered by privacy legislation.
While the Privacy and Personal Information Protection Act 1998 (NSW) ("PPIPA") does not cover the private sector, the introduction of the NPPs in the Commonwealth Privacy Act in 2001 has created obligations for that sector, which are not shared by New South Wales statutory corporations. The Commissioner does not believe that there is a public policy reason to support this inconsistency.
- Proposal 7 - The PPIPA should be amended to provide that where a public sector agency contracts with a non-government organisation to provide services for government, the non-government organisation should be contractually obliged to abide by the Information Privacy Principles ("IPPs") and any applicable code of practice in the same way as if the public sector agency itself were providing the services.
The current position is that the PPIPA is silent on the status of non-government organisations contracted by public-sector agencies to provide services to the public. The Commissioner has concerns that state or territory government contractors, who are otherwise private sector organisations, may not be bound by the Commonwealth Privacy Act or equivalent standards when performing functions under state or territory contracts.
- Proposal 8 - If the PPIPA and the HRIPA are merged, the provision governing collection of personal information directly from an individual should contain the two exceptions currently provided for in IPP 2 together with a third exception currently provided for in HPP (Health Privacy Principle) 3, namely that information must be collected from the individual unless it is "unreasonable or impractical to do so".
The current situation in New South Wales is that section 9 of the PPIPA provides that personal information must be collected directly from the individual to whom it relates unless that individual authorises indirect collection. This can cause problems where the individual is incapable of authorising collection from another person due to illness, disability or because the individual is deceased or missing.
The Commissioner further submitted that:
- the NSW Privacy Principles should include a principle equivalent to the Commonwealth's proposed UPP 2.5 in that if an agency or organisation receives unsolicited personal information it must either:
- destroy the information without using or disclosing it; or
- comply with all relevant provisions in the UPPs as if the agency or organisation had actively collected the information; and
- if the entity retains the information it would need to comply with all relevant provisions in the UPPs. This includes, for example, informing the individual concerned that the collection has taken place and checking the accuracy of information obtained form third parties.
The PPIPA does not currently regulate the collection of unsolicited personal information to this degree, again producing inconsistencies between the Federal and State laws.
- there should be minimal exemptions under the Privacy Act 1988 (Cth). Exemptions in State or Territory laws should also be minimised and only be established where there are clear and compelling public policy reasons for doing so;
- there should be ongoing collaborations between governments to propose a statutory cause of action for invasion of privacy that could be uniformly applied across all jurisdictions;
- the collection of sensitive information should be more strictly regulated in New South Wales privacy laws than non sensitive personal information. Currently there are no additional restrictions. The Commissioner considers that any privacy principle regulating the collection of sensitive information should be equivalent to, and preferably uniform with, the relevant uniform privacy principle to ensure consistency; and
- the collection of sensitive information should be allowed if necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person.
The Commissioner strongly recommended that the main issues for improvement in the regulation of privacy laws are:
- the consistency across jurisdictions; and
- the lessening of the distinction between the regulation of the private and public sectors.
The Commissioner considered that harmonising the privacy principles would:
- reduce compliance difficulties for agencies and organisations;
- empower individuals to better understand and exercise their privacy rights; and
- help to promote clear and common understanding of privacy obligations across the community.
The NSWLRC will report in stages, with its first report likely to be released in the coming months. If the NSWLRC's proposals translate into recommendations and are accepted by the NSW Government, then we may be one step closer to uniform privacy laws in Australia. The Commissioner has welcomed the proposals for reform, however, it also strongly recommended that the best way forward for Australian privacy law is to have uniformity across the Commonwealth and all of the States and Territories.