Balancing the Treatment of ‘Personal Information’ Under FOI and Privacy Laws: A Comparative Australian Analysis – Part 1
BALANCING THE TREATMENT OF ‘PERSONAL INFORMATION’ UNDER FOI AND PRIVACY LAWS: A COMPARATIVE AUSTRALIAN ANALYSIS
There has been longstanding recognition that there should be some degree of protection provided to privacy of personal information about individuals. Some
examples of this include recognition of privacy as a human right worthy of protection as in:
(a)Article 12 of the Universal Declaration of Human Rights;
(b)Article 17 of the International Covenant on Civil and Political Rights;
(c)Section 12(a), Human Rights Act 2004 (ACT); and
(d)Section 13(a), Charter of Human Rights and Responsibilities Act 2006 (Vic).
Although those examples relate to a broader notion of privacy, the justification behind a broader right of privacy applies equally to the need for information privacy. When referring to information privacy I mean, at the very least, the interest of a person in controlling information held by others about
him or her.
Some would say that information privacy is broader than that and can be read as being about the rights of individuals to exercise some control over the
way information about them is collected, the way in which it may be used, to whom it may be disclosed, and about ensuring that the information is securely
stored and not misused. It can also extend to the right of an individual to have access to information concerning himself or herself and to ensure
that, when information is used or disclosed, it is not incorrect, out-of-date or misleading.
In Australia, however, there has been some tension and inconsistency about how privacy of personal information should be dealt with when it is held by
government agencies. What mechanism should be used to provide protection of personal information privacy rights? Should it be considered as part of
freedom of information (or related) legislation, or should it be dealt with in separate privacy legislation? Should it be dealt with in legislation
at all, or in some other way?
The variety of approaches in Australian jurisdictions may stem from the difference in views as to what the right to information privacy encompasses and
where or how it should be addressed. The correctness or desirability of one view over another is a philosophical debate that is beyond the scope of
this paper and one which I will leave to more learned commentators.
In Part 1 of this paper, I look briefly at:
- what privacy regime, if any, exists in each Australian jurisdiction, and how it is manifested; and
- what each privacy regime protects and what falls within the protection offered. For example, does a regime govern a broader concept of ‘personal information’,
or does it exclude certain matters such as ‘health information’?
In Part 2, which will be published subsequently, I look at:
- how each Australian jurisdiction deals with protection of personal privacy in relation to applications for access under freedom of information/right
to information legislation. I review the nature and scope of each relevant personal privacy related exemption provision or equivalent; and
- how the different jurisdictions manage the balance between privacy and freedom of information regimes in how they treat personal information.
I also refer to some developments in legislation and case law.
All Australian jurisdictions apart from Western Australia and South Australia have specific legislation in place that sets out the general personal information
privacy regime for that jurisdiction, at least as it applies to public sector agencies (and in some cases private sector organisations either generally
or in specific areas such as the health sector).In most of these jurisdictions, regulations have been made under the relevant legislation and, in New
South Wales, there is also a code of practice that appears to be given legislative effect. These arrangements are set out in Table 1 below.
|Commonwealth||Privacy Act 1988 (Cth) Privacy Regulation 2013 (Cth)||Cth Privacy Act Cth Privacy Reg|
|ACT||Privacy Act 1988 (Cth) as amended by the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth) Health Records (Privacy and Access) Act 1997(ACT)||ACT Privacy Act|
|NSW||Privacy and Personal Information Protection Act 1998 (NSW) Privacy and Personal Information Protection Regulation 2005 (NSW)|
Privacy Code of Practice (General) 2003 (NSW)
Health Records and Information Privacy Act 2002 (NSW)
Health Records and Information Privacy Regulation 2012 (NSW)
Health Records and Information Privacy Code of Practice 2005 (NSW)
|NSW PPIPA NSW PPIP Reg NSW Privacy Code|
NSW HRIP Reg
NSW HRIP Code
|NT||Information Act 2002 (NT) Information Regulations (NT)||NT Information Act NT Information Regs|
|Qld||Information Privacy Act 2009 (Qld) Information Privacy Regulation 2009 (Qld)||Qld Privacy Act Qld Privacy Reg |
|Tas||Personal Information Protection Act 2004 (Tas)||Tas PIPAct|
|Vic||Information Privacy Act 2000 (Vic)[i] Health Records Act 2001 (Vic) Health Records Regulations 2012 (Vic)|
|Vic IPAct Vic HRAct Vic HR Reg|
[i] Note that at the time of writing, there was a bill before the Victorian Parliament which would repeal and subsititute the Vic IPAct, the
Privacy and Data Protection Bill 2014 (Vic PDP Bill).That bill was enacted as the Privacy and Data Protection Act 2014 (Vic PDPAct).
In South Australia, a Cabinet Instruction known as the Information Privacy Principles Instruction (IPPS Instruction) applies to all public sector agencies as defined in the Public Sector Act 2009 (SA) unless:
(a)Cabinet otherwise determines; or
(b)It falls within a schedule to the IPPS Instruction. That schedule lists a handful of agencies including the Independent Commissioner Against Corruption
and the Office for Public Integrity.
In July 2004, the South Australian Department of Health published the Code of Fair Information Handling Practices, which was intended to apply to apply to all employees who, in the course of their work (whether paid or voluntary), have access to personal information
collected, used or stored by or on behalf of the Department of Health and/or funded service providers. Compliance with the Code is mandatory in accordance
with a directive issued by the Department in December 2001.This
Code is not dealt with in detail in this paper.
In Western Australia, no legislation or any other instrument (such as the SA Cabinet Instruction) deals specifically with privacy. An Information Privacy Bill 2007 was introduced into Parliament in WA by the then Labor Government.It proposed to amend the WA freedom of information legislation to introduce concepts
of personal information privacy and health information privacy. It was introduced in the Legislative Assembly in March 2007, passed through the Legislative
Assembly in November 2007, progressed to the Legislative Council where it was read a second time on 4 December 2007, but did not progress further.
At an administrative level, the Commissioner for Public Sector Standards has issued a number of codes of ethics under the Public Sector Management Act 1994 (WA).For example, on 8 May 2007 the Commissioner issued the Western Australian Public Sector Code of Ethics (2007) which provided that, to
meet a minimum standard of conduct and integrity, public sector bodies and employees were required to ‘protect privacy and confidentiality’ and respect
the privacy of individuals.
The most recent instrument of which I am aware is Commissioner’s Instruction No 7: Code of Ethics, which commenced on 3 July 2012. It applies
more broadly and requires all public sector bodies and employees to ‘treat people with respect, courtesy and sensitivity and recognise their interests, rights,
safety and welfare’ (emphasis added).In addition there is an obligation on all public sector bodies to develop their own codes of conduct, consistent
with the Code of Ethics, and the Commissioner’s Conduct Guide. The Conduct Guide makes it clear that codes of conduct should address a policy of ‘[c]ustomer privacy
and security of personal information.’
For example, a sample code of ethics for a board or committee prepared by the Western Australian Public Sector Commission requires members to ‘respect
the confidentiality and privacy of all information as it pertains to individuals’.
In all jurisdictions, there are also legislative secrecy or confidentiality provisions that apply to specific officers and/or agencies, and which may expressly
protect personal privacy using phrases such as ‘information relating to the affairs of any person’ or ‘any natural person’ or provide more general
secrecy protection. Such provisions tend to have the effect of precluding persons who hold or have held certain positions, or certain specified agencies
or offices, from disclosing information they have obtained in the performance of their duties, functions or powers. Although they represent ways in
which jurisdictions protect privacy in specific contexts, I do not propose to canvass these as they are too numerous to mention.
At the Commonwealth level, the regulation of information privacy is dealt with in the Privacy Act 1988 (Cth) (Cth Privacy Act).It
deals with information privacy as it applies to personal information. It defines ‘personal information’ as follows:
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a)whether the information or opinion is true or not; and
(b)whether the information or opinion is recorded in a material form or not.
- Key features
The Cth Privacy Act establishes 13 Australian Privacy Principles (APPs) dealing with the collection, management, use, disclosure, security, access,
correction or transfer of personal information.
The Cth Privacy Act imposes obligations on APP entities, which are defined to mean an ‘agency’ or an ‘organisation’. An ‘agency’ includes a minister,
department, body established for a public purpose under a Commonwealth enactment, and various other office holders or bodies.An
‘organisation’ is defined as an individual, body corporate, partnership or trust that is not one of a number of exclusions (eg not a small business
operator with a turnover of less than $3 million).Therefore,
to that extent, it extends to the private sector as well as the public sector.
An APP entity must not do an act, or engage in a practice, that breaches an APP – ie is contrary to or inconsistent with an APP.
Some interesting features of the Cth Privacy Act include:
(a)Under APP 12, if a person wishes to obtain access to personal information about themselves, on request to an APP entity that holds that information,
access must be given. However, the APP entity is not required to give access if the APP entity may refuse access under the Freedom of Information Act 1982 (Cth)
(Cth FOI Act), or under some other Act. The Cth FOI Act in this instance takes precedence.APP
12 seems to have a greater role in dealing with access applications to other organisations.
(b)In contrast, under APP 13, if a person makes a request to an APP entity holding personal information about him/her to correct the information on the
basis that it is inaccurate, out of date, incomplete, irrelevant or misleading, the APP entity must take reasonable steps to correct this. The processes
and procedures in APP 13 are not a substitute for the procedures contained in Part V of the Cth FOI Act, but rather co-exist. Significant
differences between them are highlighted in the Guidelines issued by the Information Commissioner.
(c)The Cth Privacy Act deals expressly with the position of contracted service providers under government contracts in various provisions.
(d)One part of the Cth Privacy Act gives the Information Commissioner power to make a public interest determination; this in effect permits an
APP entity to engage in an act or practice that breaches or may breach an APP where the public interest in doing so substantially outweighs the public
interest in adhering to the APP.
(e)The Information Commissioner is given various powers and functions, these are referred to in more detail below.
- How is privacy protected?
An act or practice of an APP entity is an interference with privacy if it breaches an APP in relation to personal information about an individual.An
individual may make a written complaint to the Information Commissioner about an act or practice that may have been an interference with privacy.
Complaints made directly to the APP entity are encouraged, so that it can have an opportunity to address and appropriately deal with the complaint. If
that has not occurred, or it has occurred and the complaint is being considered and dealt with by the APP entity, the Information Commissioner may
decide not to investigate the complaint, or to not investigate further.The
Information Commissioner may decline to investigate a complaint on other grounds as well.
If a complaint has been made about an act or practice that may have been an interference with privacy, and the complainant did complain to the entity before
making the complaint to the Information Commissioner, the Information Commissioner shall investigate the act or practice.
Where the Information Commissioner considers it reasonably possible that such a complaint may be successfully conciliated, and no decision has been made
not to investigate or not to investigate further, a reasonable attempt to conciliate must be made by the Information Commissioner.
The remedy available to a complainant will depend on the avenue undertaken and the outcome of the process.
Remedies which APP entities might provide to complainants can vary and might include compensation, education of individuals or staff more generally, improvements
in processes and procedures, and other similar measures intended to mitigate any harm and minimise the risk of future interference with privacy.
Conciliation of complaints to the Information Commissioner may result in similar outcomes eg compensation for injury to feelings and humiliation.
If an entity engages in a serious interference with privacy, or repeatedly performs an act or engages in a practice that is an interference with privacy,
it may be liable to a civil penalty of 2,000 penalty units.The
Information Commissioner can apply to the Federal Court or Federal Circuit Court for an order that an entity, that is alleged to have contravened a
civil penalty provision, pay the Commonwealth a pecuniary penalty.
Further, if a matter is not conciliated, after investigating a complaint the Information Commissioner can, if the complaint is not dismissed, find the
complaint substantiated and make a determination (which must include any findings of fact on which it is based) with one or more declarations including:
(a)that the agency has engaged in conduct constituting an interference with privacy and must not repeat or continue such conduct;
(b)that the agency must take specified steps (which must be reasonable and appropriate) to ensure that such conduct is not repeated or continued;
(c)that the agency must perform any reasonable act or course of conduct to redress any loss or damage for injury to feelings or humiliation suffered by
(d)that the complainant is entitled to a specified amount by way of compensation for loss or damage for injury to feelings or humiliation suffered;
(e)that the complainant is entitled to a specified amount to reimburse expenses reasonably incurred in connection with the complaint and investigation.
If such a determination is made, the agency must not repeat or continue any conduct covered by a relevant declaration, must take steps specified in the
declaration and must perform any acts or course of conduct covered by a declaration and determination. Any amounts which the complainant is entitled to be paid are recoverable as a debt due from the agency (or the Commonwealth in certain cases).If
the agency fails to comply, the complainant or the Information Commissioner may commence proceedings in the Federal Court or Federal Circuit Court
for an order directing compliance.
In Victoria, the regulation of information privacy is split between two Acts, the Information Privacy Act 2000 (Vic)(Vic IP Act) and the Health Records Act 2001 (Vic) (Vic HR Act).The IP Act deals with information privacy as it applies to personal information,
but expressly excludes health information, which is dealt with separately in the Vic HR Act.
- What is dealt with?
The Vic IP Act uses the following definition of ‘personal information’:
personal information means information or an opinion (including information or an opinion forming part of a database), that is
recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information
or opinion, but does not include information of a kind to which the Health Records Act 2001 applies.
Interestingly, this definition is slightly different from the definition of ‘personal information’ in the Vic HR Act:
personal information means information or an opinion (including information or an opinion forming part of a database), whether
true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from
the information or opinion, but does not include information about an individual who has been dead for more than 30 years.
This differs from the Vic IP Act definition in that it only applies to information or opinion that is recorded in a material form (as opposed
to in any form), and it does not apply to persons who have been dead for more than 30 years.
- Key features
The Vic IP Act establishes 10 Information Privacy Principles (IPPs) dealing with the collection, management, use, disclosure, security or transfer of personal information; one IPP deals specifically with sensitive information.
The Vic IP Act imposes obligations on organisations, which are defined to include, among other things, public sector bodies, local councils, various
offices or bodies established for public purpose, and certain contracted service providers known as State contractors.By
contrast, the Vic HR Act applies to both the public and the private sector in relation to health information collected, held or used.
An organisation must not perform an act, or engage in a practice, that contravenes an IPP in respect of personal information collected, held, managed,
used, disclosed or transferred by it. An act carried out or practice engaged in by an organisation that is contrary to, or inconsistent with, an IPP
is an interference with the privacy of an individual.
Interesting features of the Vic IP Act include:
(a)If a provision in another Act is inconsistent with a provision in the Vic IP Act, the former Act prevails to the extent of any inconsistency
and the latter provision has no force or effect.
(b)If a person wishes to obtain access to or amend personal information about themselves in a document held by an ‘agency’ under the Freedom of Information Act 1982 (Vic)
(Vic FOI Act), any application for access or amendment must be made under the Vic FOI Act processes and procedures, and not under
the Vic IP Act.This
means that, in effect, IPP6 relating to access to and amendment of documents held by organisations probably only has a role in relation to State contractors,
which can be private sector bodies not otherwise caught by the Vic FOI Act.
(c)The Vic IP Act does not apply to personal information in a generally available publication – a publication (whether paper or electronic)
that is generally available to members of the public and includes information held on a public register.Despite
this, public sector agencies or councils which administer public registers must so far as is reasonably practicable not contravene the IPPs in connection
with the administration of the public register if that information is personal information.
(d)There is a strong incentive for agencies contracting out to State contractors to ensure that the contract makes adequate provision to bind State contractors
by the IPPs to the same extent as if they were the agency contracting them.Otherwise, the agency is attributed with the blame for any interference
with privacy which may arise from an act or practice of the contractor.
(e)The Privacy Commissioner is established by the Vic IP Act. The role and powers and functions of the Privacy Commissioner are referred to in
more detail below.
- How is privacy protected?
We saw that any act done or practice engaged in which is contrary to or inconsistent with the IPPs is an interference with privacy. An individual may make
a written complaint to the Privacy Commissioner about an act or practice of an organisation that may have been an i
Back to Forum Articles