• Specific Year
    Any

Greenleaf, Graham --- "Revolutionary' NSW Bill to set the agenda" [1996] PrivLawPRpr 20; (1996) 3(1) Privacy Law & Policy Reporter 17


`Revolutionary' NSW Bill to set the agenda

Graham Greenleaf

NSW Attorney-General, Jeff Shaw, has announced details of a `revolutionary' NSW Privacy and Data Protection Bill 1996 which he says will be soon introduced. If enacted as promised, the NSW move will take the initiative from the Federal Government in setting privacy standards in the private sector in Australia, and will force a reaction from other Australian governments. It will also set the standard for privacy protection in the state and territory public sectors. The new privacy law will be administered by a new NSW human rights commission, which will merge the existing NSW Privacy Committee with the Anti-discrimination Board, and will be headed by Mr Chris Puplick.

The Bill has not yet been released, and it is understood that not all details have yet been finally approved by Cabinet. In releasing details, Mr Shaw was initially reacting to disclosures in the NSW Police Royal Commission that a paedophile in the NSW Department of Community Services had used his position to obtain details of young boys who he then approached to pose for photographs. The Bill will include criminal sanctions for public officials who use information corruptly. He subsequently released further details of the Bill, and his spokesperson has provided further clarifications.

Comprehensive coverage?

`This revolutionary package will apply to both the public and private sectors', Mr Shaw said. `Data protection principles will apply to the public sector and codes of conduct will be developed for the private sector'. As explained below, privacy principles will be enforceable in both sectors.

Mr Shaw's office confirmed that the data protection principles would apply directly to NSW Government agencies, but could be modified for specific public sector bodies by regulations. Insofar as the private sector is concerned, the procedure would be different in that no enforceable principles would apply until the Commissioner drew up codes of conduct applying to various parts of the private sector. These codes would be issued by means of regulations. The Commissioner would normally draw up such codes in consultation with representative private sector bodies, but a code could be imposed on a sector that was dragging its feet.

A key matter which is unclear as yet is whether the modifications to the public sector principles, or the issuing of codes of conduct, will be by regulations (that is, made by the Government) or will be statutory instruments made by the Privacy Commissioner. Such codes are made by the Commonwealth Privacy Commissioner and the NZ Privacy Commissioners under their Acts, subject to the safeguard (in the Commonwealth case) of disallowance by Parliament. If the Commissioner is going to be the initial `negotiator' of codes with industry, it does not seem desirable that her or his efforts should then be able to be undermined by `closed door' appeals to a Minister for modifications. The open process of parliamentary disallowance has advantages.

It is also unclear what opportunity the public and public interest groups (such as consumer and civil liberties organisations) will have for input into the process of developing such codes/regulations -- or whether only `industry groups' will have an opportunity for input.

One of the dangers of the proposed approach, in relation to the private sector, is that it may have the potential for private sector coverage but fail to deliver it, if the government or Commissioner (whichever has the authority) fails to produce codes for major parts of the private sector. This might occur through lack of resources, lack of political will, or effective delaying tactics by industry. The contrasting approach in the NZ Privacy Act 1993, which allows codes to be developed but makes the private sector subject to a staged introduction of all the privacy principles unless and until codes are developed, gives a certainty of coverage after a phase-in period. Perhaps the NSW Bill will provide sufficient flexibility to guarantee this result -- it should.

NSW to be `EU-safe'

Mr Shaw says that the legislation will make NSW `the first state to meet the all-important European Council of Ministers' Personal Data Protection Directive, making NSW a magnet for new business ventures'. As explained in 2 PLPR 81 and 105, the EU privacy Directive will prohibit exports of personal data from European countries to countries which have inadequate privacy laws. The Directive requires this prohibition by EU countries to be effective by at least July 1998, but individual country laws may take effect any time before that.

Other details of the content of the privacy principles in the NSW Bill have not been released, but it can be expected that they will not be any weaker than those in the Commonwealth Privacy Act 1988. One of the few good features of the previous NSW Government's Privacy and Data Protection Bill 1994 (see 1 PLPR 41) was that it even improved on the Commonwealth IPPs, following suggestions by the NSW Privacy Committee, so it is hard to see the Shaw Bill being weaker.

PLPR 18 National uniformity?

Enforceable private sector privacy laws in NSW will affect all companies and organisations with Australia-wide operations. Industry sectors such as direct marketing and insurance have already expressed a preference for national privacy laws. Mr Shaw commented that `I plan to continue to seek to develop a national approach to privacy and data protection. However, I will not allow the important human rights of NSW citizens to be sacrificed to the usual lengthy delays involved in national agreement, and our privacy legislation will proceed very soon'.

This is an entirely desirable approach. The Federal Coalition Government's policy is that privacy reform is `a matter of the utmost priority' and requires `a consistent Australia-wide approach', but requires consultation with the states and a comprehensive parliamentary inquiry (see < 3 PLPR 1>). Nothing will better focus the attentions of the Commonwealth and other jurisdictions on privacy than a NSW Bill covering the private sector. A `national approach' will then emerge very fast.

Puplick to head NSW human rights commission

Mr Shaw announced the legislation would create the office of NSW Privacy Commissioner, who will have the function of investigating complaints. There will also be a `Privacy Advisory Committee', but its relationship to the existing Privacy Committee has not been explained. However, a new development is that a new NSW `human rights and justice' Commission (the exact name has not yet been settled) would be created by merging the existing NSW Privacy Committee with the Anti-discrimination Board, incorporating staff from both bodies (6 and 45, respectively).

Mr Shaw announced that Mr Chris Puplick, the current Chairman of the NSW Privacy Committee and President of the Anti-Discrimination Board, would be the new Privacy Commissioner and would head the new merged body. In congratulating Mr Puplick, Mr Shaw said he was `admirably and uniquely qualified for this crucial new role ... [and] had demonstrated his superior commitment, capacity and talents in both the positions he currently held'.

Such a merger was proposed by the Anti-discrimination Board in a submission to a Legislative Council Committee in 1994. Mr Shaw is reported as saying that he proposed the merger because the two bodies had similar complaints processes and both dealt with human rights issues, and it would be more efficient.

Cautions about a merger

A merger of privacy and anti-discrimination functions in a state human rights Commission may be justifiable, even desirable, but its success -- from a privacy perspective -- depends entirely on how it is done. Two particular issues stand out, in the details known to date.

First, without in any way questioning Mr Puplick's undoubted abilities, or his suitability to head the new body, the fact is that he will be a part-time Privacy Commissioner and a part-time Anti-discrimination Commissioner. The demands of the new position of Privacy Commissioner, given the enormous expansion of the Commissioner's role in relation to both the public and private sectors, will require a full-time Commissioner if the job is to be done effectively. In particular, the first couple of years operation of the new privacy law will require the sustained application of the Commissioner's expertise and involvement in the development of codes, and in the interpretation of the new law. An expansion of privacy staff beyond the current inadequate staffing of the Privacy Committee (as promised by Mr Shaw) will help, but is no substitute for a full-time Commissioner.

NZ, a jurisdiction equivalent to NSW, has a full-time Privacy Commissioner, and other human rights Commissioners. The Commonwealth's Human Rights and Equal Opportunities Commission (HREOC), has a full-time Privacy Commissioner (who only has very limited private sector responsibilities) and six other Commissioners dealing with discrimination and other human rights issues. NSW would not be extravagant in having both a Privacy Commissioner and an Anti-discrimination Commissioner.

Second, while there ought to be efficiencies to be gained from merging administrative arrangements in the privacy and discrimination areas, HREOC's experience in complaint-handling ought to be a salutary lesson. HREOC complaint staff, experienced in handling discrimination complaints, took over privacy complaints for a period, but this approach was then abandoned and HREOC's Privacy Branch (that is the Privacy Commissioner's Office) now does all its own complaint investigation. There are good reasons why such a merger of complaint-handling is problematic. While privacy issues and discrimination issues do overlap, they often require very different expertise and resolution skills. For example, privacy issues increasingly requiring expertise in information technology, and resolution of discrimination issues very often requires considerable sensitivity to cultural and personal differences. It is likely to be difficult to find staff who are equally interested and able in handling both privacy and discrimination matters. It would be sensible for NSW to consider the Commonwealth approach.

Compensation claims to an AAT

There will be provision for compensation to `victims' of up to $40,000. Mr Shaw's spokesperson confirmed that this will apply to breaches of either the public sector principles or a private sector code. Compensation claims will be heard by a new Administrative Appeals Tribunal, a somewhat surprising choice given that it will hear complaints against private sector bodies.

Criminal sanctions

The Shaw Bill will include criminal sanctions for public officials who use information corruptly. However, criminal sanctions would not apply to the improper disclosure of private sector personal information in breach of a code of conduct. The 1994 Bill included some criminal sanctions for private sector involvement in corrupt public sector disclosures.

Revolutionary?

Mr Shaw described the previous NSW Government's Privacy and Data Protection Bill 1994 as `woefully inadequate for many reasons, including its abject failure to provide enforceable remedies and its total lack of enforcement for data protection principles'. Similar criticisms were made in 1 PLPR 41 and 65 which described it as a `Clayton's privacy Bill' which would make NSW an `international laughing stock'. Having made such a contrast, and released so many details, it will be difficult for Mr Shaw to deliver a similarly weak Bill -- or for his colleagues to get cold feet.

On the strength of the details released so far, Mr Shaw's proposed Bill will be far superior to its predecessor. While `revolutionary' for Australia's retarded privacy laws, it will be comparable to modern privacy legislation in Europe, NZ, Québec and Hong Kong. If the fine print of the Shaw Bill lives up to the general approach that has been announced, NSW may regain the position that it held 20 years ago as an international leader in privacy protection. v

Graham Greenleaf is a Member of the NSW Privacy Committee, but this article presents a personal view and does not represent the views of the Committee.

Download

No downloadable files available