[Home] [Help] [Databases] [WorldLII] [Feedback]
	Privacy Law and Policy Reporter

Successful complaints to Privacy NSW: practical, legal and procedural issues involved in the NSW jurisdiction

Siobhan Jenner PRIVACY NSW

A version of this article was presented at the Baker & Mackenzie Cyber Law and Policy Centre seminar Privacy Complaints: How to Win for your Client (Making Privacy Laws Work) on 4 December 2003. The views expressed in this article are those of the author and do not necessarily represent the views of the Privacy Commissioner nor the policies of Privacy NSW.

This article provides an understanding of the NSW privacy regulatory regimes and how complaints can aim for the best possible outcome. The basic outline of the jurisdiction has been omitted on the basis that it will be familiar to most readers — anyone requiring a refresher can find details on the Privacy NSW website at <www.lawlink.nsw.gov.au/pc.nsf/>. Ms Jenner goes on to describe the two complaint mechanisms in Pts 4 and 5 of the Act — Associate Editor.

Internal review vs investigation by Privacy Commissioner

Individuals who have complaints about the way their personal information has been dealt with by NSW public sector agencies have two options under the Privacy and Personal Information Act 1998 (NSW) (PPIA) for having their matter dealt with. If an Information Protection Principle (IPP), privacy code of practice or public register provision has been breached, he or she can ask the agency concerned to conduct an internal review under Pt 5 of the PPIA.^[1] If the individual is not satisfied by the findings or by the action taken by the agency in relation to the application they may apply to the Administrative Decisions Tribunal (ADT) to have the matter reviewed. The Privacy Commissioner has an oversight role in internal reviews. I will say more about internal reviews and review by the Tribunal later.

Part 4 investigations

Alternatively, an individual or their representative can lodge a complaint with the Privacy Commissioner about conduct which ‘violates or interferes’ with their privacy even if it is not referable to an IPP, code or public register provision.^[2] Common complaints received by Privacy NSW concern bag searches, drug testing, vehicle tracking, search and seizure, drug and DNA testing and video surveillance. So clearly, privacy is about much more than the way in which one’s personal information is handled by government agencies.

Privacy NSW’s Complaints Protocol, which is available on its website,^[3] details how the Commissioner will be guided in his or her decision making as to whether or not a complainant’s privacy has been violated or interfered with. The standards applied will differ, according to whether or not the respondent is bound already by the IPPs, and whether or not the complaint is about physical privacy rather than information privacy. If the matter or the agency is not regulated by the IPPs but it concerns ‘information privacy’, the applicable standard is Privacy NSW’s Data Protection Principles, or DPPs.^[4]

If the matter concerns physical privacy the applicable standard will be the standard described in the 1973 Report to the NSW Parliament on the Law of Privacy by Professor W L Morison.^[5] The report was the basis upon which the original Privacy Committee Act 1975 (NSW) was enacted to establish the Privacy Committee of NSW. In that report Professor Morison referred extensively to the US tort of privacy which was summarised by Dean William L Prosser as based on:

1. The intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs.

2. Public disclosure of embarrassing facts about the plaintiff.

3. Publicity which places the plaintiff in a false light in the public eye.

4. Appropriation for the defendant of advantage of the plaintiff’s name or likeness.^[6]

Despite the legal terms of plaintiff and defendant, the above definitions of breaches of privacy reflect a broad range of community expectations about privacy. These expectations are reflected in the telephone enquires and written complaints received by Privacy NSW and by its predecessor, the Privacy Committee, over many years. Like the DPPs, such standards do not have the force of law.

Where a complaint relates to conduct which is reviewable under Pt 5 the Privacy Commissioner must notify complainants of this option first and may refer the complainant to the relevant public sector agency for review under Pt 5.

There is a discretion to reject a complaint if the individual has taken more than six months to complain after becoming aware of the relevant conduct.^[7]

Privacy NSW does not investigate complaints against Federal or other State or Territory Government agencies (which may or may not be covered by relevant privacy legislation) or the conduct of non-government bodies (which is covered by the private sector amendments to the Federal Privacy Act 1988). However, it may investigate complaints about non-government organisations which are exempted from the Federal legislation (for example, small businesses, political parties or the media) or those which fall outside the kind of conduct regulated by the Federal Act such as private sector employment matters.

The Privacy Commissioner must seek to conciliate such complaints and, unlike the internal review mechanism, there is no ability for a complainant to seek further review by the ADT. Conciliation is generally undertaken by correspondence.

The most common outcome of Pt 4 investigations is an apology and in most cases complainants have expressed satisfaction with that as an outcome. There have been cases where public and private agencies have agreed to amend records or place a notation on a file that the original record was incorrect.

Although the Privacy Commissioner’s findings are not legally enforceable there is a residual power to make special reports to Parliament under s 65 of the PPIA if the Commissioner considers that the attitude of a party or the seriousness of an issue warrants it. Reports are only finalised after parties are given an opportunity to comment. Two such reports have been made to date and can be found on the website.^[8]

Internal reviews

An internal review is the primary complaints resolution mechanism available under the PPIA. An internal review only applies to the conduct of ‘public sector agencies’, only to conduct which allegedly breaches the IPPs, a Code of Practice or public register provisions of the Act, and only to conduct which occurred after 1 July 2000.

The PPIA sets out a number of basic requirements for an application for internal review. It must be in writing and must be lodged within six months from the time that the applicant first became aware of the conduct complained about.^[9]

Section 53 does not require that there be a specific request that an agency conducts an internal review or that the application make any reference to the Act. Agencies may have some problems in identifying whether a written complaint amounts to an application for internal review as distinct from a general complaint about the conduct of the agency. In some instances this will be obvious, for example if a written complaint relates to a refusal to provide access or correction requested under the Act. In some cases it may be apparent from the surrounding context (such as verbal interactions between the applicant and the agency or the internal contents of the letter) that a statutory right is being invoked. However, where an applicant is legally represented or proceeds through another informed agent, such as a trade union, the ADT has suggested it is reasonable for an agency to expect to find a direct reference to any statutory right that is being invoked.^[10] Privacy NSW has developed an internal review checklist for agencies which makes it clear that the agency should take an expansive approach to complaints which relate to privacy.^[11]

Advocates may wish to ask applicants to complete Privacy NSW’s application for internal review form which can be downloaded from the website.^[12] Agencies have been made aware of the application form through the Privacy Contact Officer network and while they have been encouraged to make it available to complainants, agencies have been advised that it should not be an exclusive means to lodging an internal review application but merely a tool to assist both parties.

Conducting the internal review

Section 53(4) of the PPIA requires that a person who was not substantially involved in the conduct and is otherwise suitably qualified to deal with the application conducts an internal review. In a case recently oversighted the applicant was of the view that the person who conducted the review was involved in the matters giving rise to his application and that the agency therefore breached s 53(4). Privacy NSW was recently advised that this was not the case and that the person who signed off on the review was not the person who conducted the review. The person who conducted the review was not actually involved in the matters giving rise to the application.

The PPIA provides that internal reviews must be completed as soon as is reasonably practicable.^[13] However, if the agency does not complete an internal review within 60 days the applicant may proceed to the ADT for a review of the conduct that was the subject of the internal review application.^[14]

Once the review has been completed the agency may do one, any or all, of the following:

• take no further action;

• make a formal apology;

• take appropriate remedial action (including the payment of money to persons except prisoners, their spouse, partner, relative, friend or associate);

• provide undertakings to refrain from conduct; or

• implement administrative action to prevent the recurrence of the conduct.

Within 14 days after completion of the review the agency must notify the applicant of the findings, the proposed action to be taken by the agency and the fact that they have the right to have the findings reviewed by the ADT.

Breaches of privacy are often systemic in nature and complainants are frequently motivated by a concern that other people do not repeat their experience. However, applicants may not have sufficient experience of the inner workings of an agency to suggest more substantial remedies. Conversely, agencies will often want to pass off an incident as accidental without looking at underlying causes. Officers of Privacy NSW are prepared to discuss and advise on remedial action with applicants and respondents, but are precluded from providing legal assistance with a case because doing so might represent a conflict of interest.

Role of Privacy Commissioner in internal reviews

The Privacy Commissioner has a right to make submissions in the course of the review. To maintain a degree of impartiality those submissions are limited to matters relating to the internal review procedures rather than to the substance of the application. This is sometimes difficult for applicants to comprehend, but this occurs because advice may need to be given to the ADT on the law, and respondents might argue that there was a conflict of interest if submissions have already been made on the substance of the matter at the internal review stage.

Experience in oversighting internal reviews indicates a wide disparity in the manner in which internal reviews have been conducted. While some internal reviews are well investigated and documented, others have been less satisfactory. Some agencies make every effort to identify the issues and settle the matter. Others are insufficiently prepared to deal with a matter or they take a defensive position with one eye on the possibility of an application to the ADT. In Privacy NSW’s role under s 54 the following problems have been noted and submissions provided on them to the agencies concerned:

• not informing an applicant of their appeal rights;

• focusing on the facts alone rather than addressing the complaint in terms of the IPPs or the public register provisions;

• imposing an unreasonable burden of proof on the applicant; and

• focusing on only one IPP or the wrong IPP, for example an alleged disclosure, when the real issue may be unlawful or unfair collection, inadequate security or inappropriate use.

Most agencies to whom submissions have been made have responded favourably to advice. Most see submissions as best practice advice and act on it in order to prevent future internal review applications and possibly review by the ADT. In general, agencies which follow the internal review ‘checklist’ are less likely to require any further input from Privacy NSW in terms of oversight.

Review by the ADT

Under s 55(1) an applicant who is not satisfied with the findings of the internal review or the action taken by an agency in relation to an internal review application may apply to the ADT for review. An applicant cannot go directly to the ADT if he or she has not sought internal review, although if an agency has not reported on an internal review application, an applicant can apply for Tribunal review 60 days after the agency has received the application. An applicant who wishes to resolve an issue quickly might want to do this.

Planning meetings

Once an application has been lodged it will be set down for a planning meeting. Further planning meetings can be called until a case is ready for hearing. The function of planning meetings is to clarify the issues, attempt settlement or set a timetable for a hearing. Where applicants are unrepresented or have prepared their own application the planning meeting provides an opportunity to clarify details of the conduct complained about and to seek particulars to which, in the nature of privacy complaints, the agency is more likely to be privy.

Lack of direct evidence does not mean that the applicant cannot pursue a case. Arguments about where the onus of proof lies are probably unhelpful in dealing with such cases. The President of the ADT has indicated in a planning meeting that he recognises that the difficulty facing an applicant and the superior resources of the agency should be taken into account in a fact finding exercise.

The hearing

Hearings are conducted with varying degrees of formality. They generally follow a standard approach of tabling written evidence and statements and presenting legal argument, but not necessarily in any prescribed order. Unrepresented applicants are often faced with the usual difficulties in distinguishing evidence from argument and leading and cross-examining witnesses.

Once the matter has been heard the ADT may make certain orders including an order that the agency:

• apologise;

• provide an undertaking the conduct will not recur;

• undertake to change its operations to prevent recurrence of the conduct; or

• make an order requiring that the agency pay compensation to the applicant.

Compensation orders of up to $40,000 may be made against an agency where the individual can prove that a breach of the IPPs, privacy codes of practice or the public register provisions has resulted in financial loss or psychological or physical harm.^[15] In the event that the ADT makes such a finding, damages will have to be paid by the agency concerned. To date the ADT has yet to make such an order.

Although a review by the ADT is ultimately a review of the merits of the conduct complained about, the threshold arguments will focus on whether the information is personal information as defined in s 4 and whether the agency handled personal information in a manner which constituted a breach of a provision of the Act. Agencies will often seek to argue that the information in question is not personal information. They may argue that it falls within one of the exceptions in s 4(3) or that it does not identify or is incapable of identifying an individual. The most frequently cited exemptions are s 4(3)(b) (information contained in a publicly available publication) and s 4(3)(j) (information about a person’s suitability for public sector employment).

Privacy Commissioner’s role at the ADT

The Privacy Commissioner has a right to appear and be heard before the ADT.^[16] Privacy NSW exercises this right in order to advocate for interpretations of the Act in line with its primary function of protecting the privacy of individuals, and assist the ADT and all parties in their awareness and understanding of relevant instruments, such as s 41 directions. The Privacy Commissioner does not advocate a position on behalf of either party but does not resile from the possibility that intervention may influence the outcome of a case.

The lawyer’s role in assisting clients in internal reviews and at the Tribunal

If you are representing a client who has a complaint against a NSW public sector agency which concerns the agency’s dealing with the client’s personal information, you should be aware of some common issues that might arise.

• Where an applicant is an employee of an agency, the agency might seek to rely on the ‘employee suitability’ exemption in s 4(3)(j) to have the ADT exclude the matter before it goes to hearing. However it is still possible to argue that exemption should only apply in relation to particular facts.

• Agencies may argue that the information at issue is not personal information. However the definition says that if the person’s identity can ‘reasonably be ascertained from the information’ it will be ‘personal information’. The definition in s 4 clearly applies to ‘constructive identification’.^[17]

• By focusing on an alleged disclosure, an agency can distract attention from non-compliance with other IPPs, such as collection, storage, use and the complainant’s rights of access and correction. Applicants and their representatives need to explore the possibility that the conduct complained about more accurately relates to another stage in the information life cycle. For instance if the information was disclosed and the applicant complains about the disclosure you should ascertain whether the applicant was made aware around the time of collection that the information would ordinarily be disclosed. If the applicant wasn’t made aware that the information would be disclosed it is possible that the agency breached s 10 (IPP 3).

• Applicants who expect to be able to obtain damages may not sufficiently consider the restricted scope of s 55(4)(b) under which damages can only be awarded if the applicant has suffered financial loss or physical or psychological harm. Typically, applicants who insist that their complaint should result in damages have failed to do their own reality check, and it is the role of advocates and Privacy NSW to give applicants more realistic expectations in this regard. They should be made aware that they will need to produce evidence such as a statement from a doctor or other professional as to the harm brought about by the conduct in the case of alleged physical or psychological harm.^[18]

Agencies may sometimes not seek to rely on a s 41 direction until the matter reaches the ADT. The lesson for advocates is to check with Privacy NSW as to whether a direction or other exemption was in force at the relevant time.^[19]

Conclusion

Apart from recognising some of the difficulties in the internal and external review process, how can you be an effective representative for your client in bringing any complaints under the PPIA, including Pt 4 complaints?

• Know the law. In one case a Sydney barrister told the media that he intended to sue a prominent person for breach of privacy. He was clearly unaware of the State and Commonwealth privacy regimes and needless to say he did not manage to establish a tort of privacy all on his own.

• Ask for advice. Privacy NSW need to tread a very careful line in terms of conflicts, advice is provided to parties about the PPIA and about the procedures for bringing complaints, internal review applications and review by the Tribunal. Privacy NSW can explain the IPPs, the DPPs, the Prosser tests, and the relevant exemptions under the PPIA, and can to refer you to relevant cases and resource materials.

• Get a copy of the agency’s privacy management plan.^[20] If an agency is relying on an exemption to support a common practice this should be set out in their plan. Section 33(2)(a) of the PPIA requires that the plan should set out the ‘policies and practices to ensure compliance with the Act’, and s 33(2)(d) provides that the plan should include ‘any other such matters as are considered relevant by the agency in relation to privacy and the protection of personal information held by the agency’.

• Use the internal review application form.

• Check the agency has met all procedural requirements for an internal review as set out in the internal review checklist.

The basic economics of a privacy complaint mean that applicants in the ADT will often be unrepresented. Privacy NSW does what it can to assist both parties understand the process and the relevant law, but is ultimately limited in what can be done by the structure of the Act, its inability to provide legal assistance and its need to avoid being placed in a conflict situation.

Anna Johnston, the Deputy Privacy Commissioner, said recently at a conference, ‘When we at [Privacy NSW] do our job well, we are improving the fairness and accountability of government.’ When you are advocating for clients with complaints brought under the PPIA, you do your job well when you make public sector agencies and private organisations accountable for how they have handled personal information. More importantly, you do your job well when you give back to individuals the expectation that their privacy rights will be protected in future.

Siobhan Jenner is a Senior Compliance & Investigations Officer with Privacy NSW.

Endnotes

[1]. Section 53.

[2]. Section 45.

[3]. <www.lawlink.nsw.gov.au/ pc.nsf/pages/complaints>.

[4]. <www.lawlink.nsw.gov.au/ pc.nsf/pages/dataprotect>.

[5]. Morison WL Report on the Law of Privacy 1973 No 170 Parliament of New South Wales p 20, [22]-[23].

[6]. Prosser William L ‘Privacy’ (1960) California Law Review 48, 383.

[7]. Section 45(5).

[8]. At <www.lawlink.nsw.gov.au/ pc.nsf/pages/reports>.

[9]. Section 53(3).

[10]. Y v DET, cited above note 5 at [16].

[11]. The internal review checklist can be found at <www.lawlink.nsw.gov.au/ pc.nsf/pages/irchecklist>.

[12]. <www.lawlink.nsw.gov.au/ pc.nsf/pages/irapplication>.

[13]. Section 53(6).

[14]. Section 53(6).

[15]. Section 55(2)(a) which is subject to the requirement in s 55(4)(b).

[16]. Section 55(7).

[17]. This approach to constructive or deductive identification is supported by recent cases in England (H v Associated Newspapers [2002] EWCA Civ 195 (27 February 2002)) and New Zealand (Proceedings Commissioner v Commissioner of Police [2000] NZAR 277).

[18]. In GV v Office of the Director of Public Prosecutions [2003] NSWADT 177 (25 July 2003) the ADT considered whether the burden of proof applied to either of the parties. Tribunal member Robinson found that the legal requirements of onus and standard of proof did not ordinarily apply to a review under the PPIA [36]. However, if an applicant sought particular orders from the Tribunal he or she would ordinarily bear an initial or evidentiary burden in order to satisfy the Tribunal to make the orders sought.

[19]. Information about s 41 directions is also available at <www.lawlink. nsw.gov.au/pc.nsf/pages/section41 orders>.

[20]. Section 33(1).