Government Lawyers CLE Convention
9 September 2003
Privacy - the regulator’s perspective
Presentation by Anna Johnston, NSW Deputy Privacy Commissioner
Privacy : Challenges and trends, 2003
Good afternoon to you.
Well I was asked to give the “regulator‟s perspective” on privacy in 2003. So by way of
context I should just briefly explain what the role of Privacy NSW is.
What is the role of Privacy NSW?
Privacy NSW is an organisation charged with protecting and promoting privacy, and by doing
so we look after citizens‟ relationship with government.
When we do our job well, we are improving the fairness and accountability of government.
Why do I say that? Because commitment to the protection of individuals‟ privacy is not only
important for organisations because of their legal obligations.
Privacy protection is integral to trust, and trust is the cornerstone of effective relationships.
This is true no matter what kind of relationship we are talking about: from your personal and
family relationships, to e-government initiatives involving the relationship between the citizen
and the state.
So in brief, our work involves:
advice to the public sector on how to comply with the PPIP Act
advice to all manner of organisations on privacy issues that fall outside the scope of the
taking enquiries from members of the public who wish to know about their rights or make
a complaint or seek some assistance to resolve a particular problem
investigate and conciliate privacy complaints
oversighting how public sector agencies conduct Internal Reviews under the PPIP Act,
assisting the Administrative Decisions Tribunal by making submissions on statutory
interpretation in cases brought under the PPIP Act
What is the Privacy and Personal Information Protection Act about?
The PPIP Act obliges NSW public sector agencies, including local councils, to comply with
12 Information Protection Principles, or “IPPs”. The IPPs regulate the manner in which
public sector agencies may collect, retain, use and disclose personal information, as well as
placing obligations on agencies to ensure the accuracy of that information, and provide
people with easy access to information held about themselves.
The IPPs themselves are relatively common sense principles. Remember that they are
about the fair use of personal information. So they say things like “if you say you are
collecting somebody‟s personal information for one purpose, you should only use it for that
We have recently published some Fact Sheets which attempt to explain the IPPs in „plain
English‟ without affecting their legal meaning, and I‟ve reproduced this version in the
handouts for this presentation.
The IPPs do however have various exemptions. Some of the exemptions are built into the
Act itself, and deal with particular functions like judicial or law enforcement functions, or with
a particular principle, like saying the „collection‟ principles don‟t apply to unsolicited
Another form of exemption is a Direction made by the Privacy Commissioner, where the
Commissioner believes the public interest is better served by allowing the particular conduct
A third form of exemption is a Privacy Code of Practice, which is an instrument made by the
Attorney General. The Attorney General must consult with the Privacy Commissioner before
making a Code. In the early days of the Act some Codes were drafted by agencies or
Privacy NSW itself, but these days the Office of Parliamentary Counsel does the drafting.
This ensures the instruments are consistent and made more accessible, on the OPC‟s
website for example.
Internal Reviews and External Reviews
Now to enforcement of the IPPs.
In the event of an alleged breach of an IPP, a person may seek an Internal Review of the
agency‟s conduct or decision. About 100 Internal Reviews are being lodged each year now.
Internal Review is a process of investigation and review by the agency itself, although the
review must be conducted by a person removed from the original person whose conduct or
decision is the subject of the complaint.
Internal Review should be a relatively informal process for the resolution of the individual
complaint, but also for agencies to reflect on any systemic issues arising. Internal Review
must work correctly for the complainant‟s appeal rights to be preserved.
The Internal Review process is overseen by Privacy NSW, and we can make submissions to
the agency on the matter under review. We don‟t get involved in the agency‟s investigation
of the facts or the review of evidence. Our main concern is to ensure that the Internal
Review process is working.
Sometimes that means we have to remind agencies about the process to follow, and
occasionally we will make submissions to the agency where we think they may have got the
interpretation of the Act wrong. The agency is of course free to ignore our suggestions.
If the complainant is dissatisfied with the Internal Review they can apply to the Administrative
Decisions Tribunal for an „external‟ review of the agency‟s conduct or decision. The Tribunal
can order a variety of remedies.
The Privacy Commissioner has the automatic right to appear before the Tribunal, but we
only make submissions on interpretation of the law, and where we think a wider public
interest is at stake. We don‟t advocate for either the complainant or the respondent in the
The numbers of privacy cases being lodged in the ADT tripled from the first year to the
second (3 to 9), and tripled again from the second year to the third (9 to 37). At the moment
about 30 to 40 cases are being lodged per annum.
So far the ADT has issued about 13 judgments which include interpretation of the Act, so we
need to keep up to date with those decisions, as they affect the advice we give agencies and
members of the public about how the Act works.
When judgments are delivered, we summarise them in the form of casenotes on our
website, and include links to the full text of the judgment on the ADT website. We also
produce even shorter summaries for our newsletters.
Analysis of Internal Review applications
73 Internal Review matters were finalised last financial year, and the following discussion
draws on an analysis of those 73 cases.
In looking at which agencies receive the most Internal Review applications, it is perhaps not
surprising that the human services sector features prominently, followed by the transport
sector (primarily the RTA), then local government and the justice sector, and then regulatory
and central agencies.
We‟ve been mapping the relationship between applicants and the respondent agencies, and
a trend from the first year or so of Internal Review has since been strongly reversed. In the
first year the most likely type of applicant for an agency was its own employees, but this has
since moved to clients of the agency. This pattern may have been a natural result of the
introduction of the legislation, in that public servants heard about the PPIP Act well before
members of the public did.
We‟ve also been mapping the types of records or information that cause the most
complaints. The most common types of information or practice at issue during 2002-03 were
personal contact details, medical and health records, customer / membership and student
records, and criminal history records. Compared to previous years the number of
applications dealing with employment records, and local government and land title records,
We also review where in the information „life cycle‟ the most problems occur, and you can
see there are two distinct spikes at the point of collection and disclosure, with other issues
such as data security and first party access rights causing fewer complaints.
So of the 73 Internal Review applications finalised last year, you‟ll see that in the vast
majority of cases, an Internal Review was completed by the agency concerned. In only 2
cases did the complainant exercise their option of going straight to the Administrative
Decisions Tribunal before the Internal Review is complete, if the review has taken more than
60 days already.
You‟ll also see that of the 65 cases, a breach of the IPPs was found by the agency in 18
cases, which is just less than 30% of cases.
It is interesting to ask, for those 47 cases where no breach was found, why that was. You‟ll
see that while in only a few cases was the alleged conduct found never to have occurred, in
a quarter of cases the evidence was arguable.
In 42% of cases the conduct was found to have occurred, but that the conduct complied with
In a further 17% of cases the conduct was found to have occurred, it was not in compliance
with the IPPs, but nonetheless that non-compliance was authorised by a lawful exemption.
In terms of outcomes or remedies for the 18 cases in which a breach of the IPPs was found,
you‟ll see that often multiple remedies are offered. The remedies offered to the complainant
in these matters included apologies, rectification, and financial compensation. In a third of
cases the Internal Review resulted in a change in practices in the agency, and in over half
the cases re-training of staff was also promised as a result. In only 2 cases was some form
of compensation paid to the complainant.
Advice to the public sector
Well I‟ve spoken now at some length about the IPPs and their enforcement, and our role in
that process. But that‟s actually only a part of our day-to-day work at Privacy NSW.
As I mentioned earlier, one of our roles is to give advice and assistance to public sector
agencies on how they can comply with the 12 IPPs while still achieving their own objectives.
We are also asked for advice on topics that don‟t fit neatly into the PPIP Act, such as video
surveillance, genetic testing, spent convictions, drug and alcohol testing. Emerging
technologies also generate requests for advice on whether and how to use them, such as
global positioning devices, camera phones, internet monitoring, and so on.
Our advisory role includes answering over 200 formal requests for advice each year; sitting
on working parties and the like in order to develop government policy; and doing our own
research and policy work to develop guidelines for application across the public sector.
But it‟s not just State and Local government agencies who seek our advice. You‟ll see that
about 20% of requests for advice come from private sector organisations, and another 10%
from a variety of sources.
In almost half of all cases, the organisation requesting our advice is asking about itself - that
is, how do we as an organisation protect privacy, how do we comply with this or that piece of
legislation. The rest of the time the requests are actually about another organisation‟s
compliance. This might be for example if one Department wants to get personal information
from another Department, the second Department says “no”, and „privacy‟ is raised as the
We are increasingly trying to address issues in a systemic way. For example when we
realised that quite a few of the human service agencies were asking for advice on dealing
with clients with limited or no capacity to make decisions about their personal information, we
decided that some broader guidelines would be better than just individual letters of advice.
So we‟re now in the process of drafting some guidelines on „consent and capacity‟, and
we‟ve been getting feedback from various stakeholders as part of that project. If you are
interested in that topic you can see the second draft of our guidelines on our website, and
provide comment by 15 September.
Investigation and conciliation of complaints
Internal Review is actually not the only complaints mechanism under the PPIP Act. The Act
specifically preserved what was previously the NSW Privacy Committee‟s role of
investigating and conciliating all manner of privacy complaints. However we don‟t have the
power to order or enforce any particular outcome.
In practice now these tend to be complaints about matters that don‟t „fit‟ within the Internal
Privacy complaints that don‟t suit Internal Review are usually for one or two main reasons:
either the complaint is not against a public sector agency, or
the complaint is about physical privacy, like bag searches at a supermarket, or a prying
You can see from this graph that the profile of these complaints is different to Internal
Reviews as a result - for example here, the category of surveillance, monitoring, physical
privacy and biometrics tops the list.
But sometimes even for „information privacy‟ complaints against a public sector agency,
complainants will elect to have the Privacy Commissioner investigate their complaint, rather
than seek an Internal Review, for example because they fear repercussions from the agency
and so wish to remain anonymous.
In this capacity Privacy NSW receives about 200 formal complaints a year. Some of these
we refer to other bodies – especially since the Office of the Federal Privacy Commissioner
now regulates some of the private sector such as large businesses.
The new HRIP Act
So you‟ve just got your head around the PPIP Act - well brace yourself now for the HRIP Act!
The Health Records & Information Privacy Act 2002 (the HRIP Act) will commence next
year, and will affect both public and private sector holders of „health information‟ - not just
health service providers. There are 15 Health Privacy Principles (HPPs) which look pretty
similar to the 12 IPPs in the PPIP Act, with one exception - the HRIP Act has a specific
principle which establishes limits around the development of linked electronic health records.
„Health information‟ will effectively be taken out of the scope of the PPIP Act, but the
remedies for complaints about breaches of the HPPs by public sector agencies will be
exactly the same : the complainant can seek an Internal Review followed by external review
by the ADT, or he or she can make a privacy complaint to the Privacy Commissioner for
investigation and conciliation. The difference is that for complaints against private sector
organisations, investigation by the Privacy Commissioner will act as the first step before a
matter can be lodged in the Tribunal.
Issues for public sector agencies
The challenge for government agencies is how to respect the personal information of the
many and varied people they deal with.
As with any new compliance issue, it can be hard work.
The implementation of privacy laws and policies inevitably involves difficult decisions, in
which competing interests will have to be weighed. In particular, one must always consider
the public interest in the protection of individuals‟ privacy, as well as the public interest in
open and accountable government decision-making.
But I would suggest to you that these two particular interests are not necessarily in conflict.
Privacy laws, like freedom of information laws, are about shifting the locus of power away
from the government and business, and towards the citizen and consumer.
A particular challenge for agencies is that, unlike other administrative law areas such as FOI,
it is becoming harder to protect privacy by default.
There used to be certain natural barriers which protected people‟s privacy by default – the
barriers of time, distance and cost. In the days of paper files, the sheer effort of collecting
and tracking detailed personal information about the average person was simply not worth
the effort. And hence privacy was, for the most part, protected by default.
Those days are gone, and that‟s why organisations have to be much more pro-active than
they used to be to ensure that they are „privacy compliant‟.
Like any organisation, Privacy NSW must respond to the changing environment.
In social, political and technological fields, the 21st century is shaping up to be the
„Information Age‟, and the demands for privacy and information management expertise will
only continue to grow. Privacy NSW needs to change and grow, in order to meet these
challenges in the future.
A key strategy we are following is to build the network of Privacy Contact Officers across
every agency. It may be of interest to you to note that results from our recent survey
suggest that only 8% of Privacy Contact Officers sit within legal or compliance areas of
public sector agencies.
In particular, a recent survey of the Privacy Contact Officers from every agency highlighted a
significant un-met demand for on-going education and training of public sector agencies, and
better communication with our stakeholders. Privacy NSW now has a dedicated position
responsible for public awareness, respondent education, training and publications.
Our immediate strategy in this area is to improve our educational assistance to public sector
agencies, through a number of different tools.
In the past 6 months, Privacy NSW has released a number of new „products‟, if I can call
Perhaps the most exciting has been an online training program about the PPIP Act and its
interaction with related legislation like the FOI Act and the State Records Act. It has a
specialised local government module which explains how all of these work with the Local
Government Act too. A joint project with the Department of Commerce who provided the
funding, we launched this CD-Rom at Parliament House two weeks ago. A copy has been
sent to every State and local government agency in NSW, free of charge. It is a program
which can be run through an agency‟s intranet, so that all staff can complete online training
at any time.
We‟ve also held a stakeholder consultation on the „consent and capacity‟ guidelines I
mentioned earlier, which we hope to finalise by the end of the year.
We‟ve also just launched a general newsletter called “Need to Know”, and we‟ve started
producing a series of Fact Sheets, all of which are available on our website. A few months
ago we also launched an Internal Review Checklist for public sector agencies to follow. The
checklist includes cross-references to the Act, helpful advice on process based on ADT
judgments to date, and tips from our experience of oversighting the hundreds of Internal
Reviews lodged since the Act commenced.
Not forgetting members of the public, we also produced a standardised Internal Review
application form, and we‟re about to print the first of a number of brochures about privacy.
Next up is an overhaul of our website, to make it more easily navigable and helpful for all
Well that concludes my presentation. I would like to thank you for your attention, and if there
is time I would be happy to take any questions.