1 / 10

Fragmentation of Australia's Public Sector Privacy Laws

This article explores the fragmentation of privacy laws in Australia's public sector, focusing on the variations between Commonwealth/ACT, NSW, Vic & NT, and their similarities and differences in aims and details. It also discusses recent cases and examples regarding collection from the data subject, consent exceptions, minimal collection, and the definition of "records" or "documents."

hculbertson
Download Presentation

Fragmentation of Australia's Public Sector Privacy Laws

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Recent cases: Is there fragmentation of Australia's public sector privacy laws? Professor Graham Greenleaf UNSW Faculty of Law - 22 May 2003 NSW Freedom of Information and Privacy Practitioners Network

  2. Public sector privacy laws • Variations so far • Commonwealth / ACT - IPPs • NSW - NSW IPPs • Vic & NT (and private sector) - NPPs • Superficial similarities in aims • All based on life-cycle of information • Significant differences in details • Little case law except new NSW cases - major differences already emerging

  3. Examples and recent cases • Collection from the data subject • DO v University of New South Wales [2002] NSWADT 211; [2003] NSW ADTAP 9 • Consent exception- express or implied • FM v Macquarie University [2003] NSWADT 78 • Minimal collection - anonymity • Wykanak v Dept Local Govt [2002] NSWADT 208 • FH v NSW Dept Corrective Services [2003] NSWADT 72 • Are records required before Acts apply? • FM v Macquarie University [2003] NSWADT 78

  4. Collection from the data subject • Some laws require collection from the data subject, but they differ considerably • Cth IPPs impose no obligation to do collect from the individual, no consent needed to collect from 3rd Ps • NPP 1.4 requires collection only from individual ‘if it is reasonable and practicable to do so’ • NSW s9 requires collection directly from individual unless • 3rd P collection is authorised by the individual; or • Provided by parent/guardian if under 16 • DO v University of New South Wales [2002] NSWADT 211 • UNSW did have authorisation to collect from 3rd Ps • Iillustrates risks under NSW Act • It is OK to ‘double check’ with a 3rd P - collection from both

  5. Consent exception • Cth IPPs and NPPs - implied consent • ‘express consent or implied consent’ (Cth PA s6, also Vic) • Consent must also be informed ( meaning of ‘consent’) • Can consent be implied from failure to opt out? • NSW s26(2) requires express consent • Failure to opt out could never be good enough • FM v Macquarie University [2003] NSWADT 78 • Consent to UNSW to collect transcript from UNSW was implied consent to Macquarie to disclose it, but that is not express consent • Cf NZ requires ‘authorization’ • NZ Courts (L v J, L v L) have held this includes implied authorizations (see Roth article)

  6. Minimal collection - anonymity • NPP 8 - ‘Wherever lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation’ - no direct NSW equiv. • Is it a breach to build systems which make anonymity impracticable? Does NPP8 require anonymity to be ‘designed in’? • FH v NSW Dept Corrective Services [2003] NSWADT 72 - • Equivocal on whether breach of security principle where it would cost millions for Dept to change system to log accesses • Wykanak v Dept Local Govt [2002] NSWADT 208 (summary) • ADT could not review a complaint of an anticipated breach of a NSW IPP • Compare Cth IPPs or NPPs - s98 Injunctions available where ‘a person … is proposing to engage in any conduct that … would constitute a contravention of this Act’

  7. 'Records' / 'documents’ • Significance in Commonwealth Privacy Act • Cth IPPs all require information in ‘records’ or a ‘generally available publication’ • NPPs don’t, but s16B has same effect • One of the dividing lines between information privacy and surveillance laws • Problems - compare Cth and NSW results • Interview with no notes taken • CCTV with no film • Listening device with no recording

  8. 'Records' / 'documents’ (2) • Other jurisdictions requiring records / documents • Victoria • S3 definition ‘personal information’ - ‘means information … that is recorded in any form …’ • Northern Territory • S4 definition ‘personal information’ means ‘government information from which …’ • S4 definition ‘government information’ means ‘a record held …’ • Hong Kong • s2 definition 'data' is only 'any representation of information, in any document'. • 'document' includes disks, film etc from which visual images or other data are 'capable ...of being reproduced’

  9. 'Records' / 'documents’ (3) • New South Wales - the odd one out • S4 defn ‘personal information’ means ‘information or an opinion (….whether or not recorded in a material form) …’ - cannot imply a record from the definition • NSW IPPs all refer to ‘personal information’ (contrast Cth IPPs require ‘in a record’) • No equivalent to Cth s16B re NPPs • All NSW IPPs therefore apply to all personal information whether or not it is ever recorded • IPPs only require that agency must ‘collect’ or ‘hold’ personal information

  10. 'Records' / 'documents’ (4) • FM v Macquarie University [2003] NSWADT 78 • Hennessy Dep P (on appeal) • S18 breach by Macq’s disclosure to UNSW of information in 2 telephone conversations • Information was observations of FM and opinions about him • The information was never recorded by Macq • Held - Was ‘personal information’ even though FM’s behaviour was observed by others • Held - Info was ‘held’ in the mind of Macq staff • s4(4) defines ‘held’ as ‘possession or control’ • ‘Possess’ must include ‘in the mind’ for non-material information • Order - Macq staff must not disclose any information in their minds about students, unless s18 exemption applies

More Related