Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Johnston, Anna --- "Reviewing the NSW privacy Act: Enforcement" [2004] PrivLawPRpr 47; (2004) 11(4) Privacy Law and Policy Reporter 112

Reviewing the NSW privacy Act: Enforcement

Anna Johnston

The submission by Privacy NSW to the review of the State’s privacy legislation is one of the most comprehensive and critical analyses of the Act since its enactment. Anna Johnston was NSW Deputy Privacy Commissioner at the time of writing the submission. Part I of this article in (2004) 11(3) PLPR 61 considered the adequacy of the IPPs and exemptions from them.(General Editor)

Adequacy of the enforcement mechanisms

Part 3.2 of Privacy NSW’s submission on the review of the PPIP Act examines the mechanisms by which the privacy standards set out for state and local government by Parliament are or can be enforced. The mechanisms include enforcement by and for individual complainants, and how systemic issues are or could be addressed. The submission examines whether the mechanisms are appropriate and effective, and whether the processes for all parties are clear and fair.

Introduction to the enforcement mechanisms

The PPIP Act aims to protect ‘personal information’. Enforcement of the privacy standards set out in the Act for information privacy (the IPPs and the public register provisions) is primarily through administrative review. Individual applicants may seek internal review of conduct or a decision, with binding findings and enforceable remedies available on subsequent application to the Administrative Decisions Tribunal for a fresh review.

The result of this adversarial and typically one-sided litigation model is that it is in the interests of respondent agencies to argue before the Tribunal for the broadest possible interpretations of exemption provisions, against individual applicants who are often ill-equipped to argue the contrary position, and often have little interest in the implications of statutory interpretation beyond the impact on their own matter.

It would appear that Parliament sought to address this imbalance by creating a role for the Privacy Commissioner in Tribunal proceedings. The Privacy Commissioner does not support, advocate for or represent either of the parties to the dispute. We approach our role in the Tribunal as pursuing an interpretation of the PPIP Act that promotes the objects of the Act, namely to protect the privacy of individuals.

On the other hand, the PPIP Act also aims to protect ‘the privacy of individuals generally’. This is primarily achieved by a complaints-handling and conciliation role for the Privacy Commissioner, not limited to information privacy matters subject to the privacy standards set out in the Act. This role – encompassing the resolution of complaints as varied as bodily privacy, territorial privacy and the privacy of communications – was inherited by the Privacy Commissioner upon abolition of the Privacy Committee, which existed from 1975 to 1999.

The Privacy Commissioner also has some ability to address systemic issues by way of inquiries and investigations into ‘privacy related matters’, in which he or she may exercise Royal Commission powers, and by way of advice, assistance and education.

In using two models, the PPIP Act seems to be trying to have a bet each way: a specialist, free complaints conciliation service (Privacy NSW), and a mechanism by which complainants can obtain an enforceable remedy and/or large volumes of case law can be generated (external review by the Tribunal) while also acknowledging and trying to address the power imbalance faced by complainant litigants (independent role for the Privacy Commissioner in the Tribunal). Yet it is possible that in trying to please everybody, the processes in the PPIP Act serve nobody.

Our submission outlines some of the deficiencies in these two models - complaint conciliation, and administrative review - for the enforcement of privacy standards and bringing about systemic change. We also pose various options for reform.

Role of enforcement mechanisms in achieving the Act’s objectst

Neither of these two models - complaint conciliation, and administrative review - is particularly adept at bringing about systemic change in the way in which government agencies are expected to handle personal information in particular, or protect privacy in general. Yet the objects of the PPIP Act are to bring about just such a transformation.

However before considering reform or alternative models, it is worth pausing to consider who each model of enforcement serves. The five main stakeholder groups and their likely interests might be summarised as:

Individuals with privacy complaints

• want a fast / simple / cheap resolution of their complaint

• often only seeking acknowledgement of wrong-doing and an apology[1]

• may want their ‘day in court’ for a sense of closure

• may desire systemic change (‘I don’t want this to happen to anybody else’)

• uninterested in statutory interpretation except as directly affects their complaint

Individual agencies responding to privacy complaints

• want clarity in the law

• may want a fast / simple / cheap resolution of the complaint

• yet willing to litigate in order to resist complaints seen as unmeritorious

• may resist systemic change

Specialist privacy practitioners (advocates, academics, lawyers)

• interested in case law as a means of aiding interpretation of the Act[2]

• not directly interested in individual complaints or their resolution

• may want to bring about systemic change

Privacy NSW

• want to ensure the robustness of privacy laws

• interested in case law as a means of aiding interpretation of the Act

• want to bring about systemic change

• yet also supposed to conciliate cases wherever possible

The Government

• want a fast / simple / cheap way in which to resolve privacy complaints made against government, to maintain trust in government

• concerned about costs of litigating complaints

• not directly interested in individual complaints or their resolution

It should be acknowledged that these interests often sit in tension. For example, a case before the Tribunal may have some prospects of settlement through mediation if the complainant’s case is strong and the facts are not in dispute. The respondent is likely to favour an out-of-court settlement, Privacy NSW and privacy advocates would be likely to prefer an open judgment, and the complainant must decide between the path of least resistance in settling, and the satisfaction but uncertainty of their ‘day in court’. This illustrates the difficulty in using an adversarial model to enforce laws that by their very nature are aimed at systemic change.

The submission does not offer any radical solutions to this dilemma, nor do we suggest whose interests ought be given precedence. Perhaps it is better to focus upon how (we trust) all parties see the ideal situation: no privacy complaints, because all members of the public share the same expectations of privacy and accept a sensible balance with other interests, the law reflects those shared public expectations perfectly, all agencies understand the law perfectly, and all agencies comply with the law perfectly. In that sense, the ultimate aim of Privacy NSW is to do itself out of a (complaints-handling) job.

However in our very imperfect reality, a mechanism by which to enforce the law and resolve complaints is needed. Nonetheless it is worth remembering the utopia just described, particularly when thinking about the mechanisms by which privacy can be protected by means other than complaints-handling, such as education, advice and assistance.

In part 3.2.4 of the submission Privacy NSW proposed an alternative model, in which complaints investigated by the Privacy Commissioner may then be reviewed by the Administrative Decisions Tribunal, as an alternative to the existing path of internal review then review by the Tribunal. This proposal is only in relation to complaints which could otherwise be dealt with by internal review – that is, a complaint about the handling of personal by a public sector agency. That is, we recommend that complainants may choose either internal review or an investigation by the Privacy Commissioner, but regardless of their choice they can seek a subsequent review by the ADT in order to obtain an enforceable remedy.

If this suggestion were adopted, one possibility is that the Privacy Commissioner could assist to narrow issues and make a prima facie determination before any matter reaches the Tribunal. This would be similar to the role envisaged for the Privacy Commissioner under the Health Records & Information Privacy Act 2002 in relation to complaints against private sector respondents[3] .

Enforcement of the offence provisions

In the four years since the PPIP Act fully commenced, there has not been a single prosecution of the criminal offence provisions in Part 8 of the PPIP Act. This outcome is not because no matters have come to our attention, but because we have not had the ability to deal with such matters adequately.

Privacy NSW has not been resourced to the level necessary to attempt the level of forensic investigations or examinations necessary to consider mounting a prosecution of criminal offences, which require particular skills, time[4] , facilities[5] , and powers[6] . Likewise the Privacy Commissioner has held no public or private hearings, despite having the powers to do so.

Attempts to seek the cooperation of other agencies with the powers and resources to conduct investigations and/or prosecutions of the offences in Part 8 of the Act (such as NSW Police, the Police Integrity Commission, the ICAC and the Director of Public Prosecutions) have not to date been fruitful. There are some good reasons why these agencies cannot resolve our difficulties; for example the ICAC only regulates public sector officials. By contrast the offences in Part 8 of the PPIP Act relate in some cases to public sector officials (such as corruptly disclosing or using personal information), but in other cases relate to people outside the public sector (such as inducing a corrupt use or disclosure). Nonetheless two matters referred to the ICAC for investigation as possible breaches of the ICAC Act and/or Part 8 of the PPIP Act by public sector officials were declined[7] .

The result is that Privacy NSW is aware of several instances where conduct may amount to a criminal offence, but to date has not been able to progress those matters.

Anna Johnston, Director, Privacy & Information Management Consulting, Salinger & Co - Anna was the NSW Deputy Privacy Commissioner at the time of writing its submission for the review

[1] Interestingly almost no complainants or internal review applicants are seeking compensation. To date only two internal review matters have resulted in compensation, and no Tribunal matters have involved an order for compensation.

[2] See for example the editorial in Privacy Law and Policy Reporter (2004 10(10) PLPR), in which the PPIP Act is praised for its ability to generate large volumes of cases before the ADT, while the Federal Privacy Act is criticised for the manner in which complaints are conciliated behind closed doors, with no case law from the Federal Court.

[3] See sections 45-48 of the HRIP Act.

[4] In the past four years, depending on the budget available each year, Privacy NSW has employed between one and three fulltime investigations officers to handle complaints and the oversight of internal reviews, as well as (with other officers) answering telephone enquiries, answering requests for advice, and participating in inter-departmental working parties and the like.

[5] Although the PPIP Act provides the Privacy Commissioner with Royal Commission-type powers to conduct public or private hearings, Privacy NSW has no budget allocation to facilitate the hiring of hearing rooms, interpreters, transcribers, counsel assisting, and so on.

[6] Unlike the Independent Commission Against Corruption, Privacy NSW does not have surveillance capacity, or the power to issue or seek search warrants, listening devices, or telephone interception.

[7] For example one matter was referred to the ICAC by a local council following its internal review of a complaint. The ICAC declined to deal with the matter on the basis that the matter was already with Privacy NSW. However our only role was to oversight the internal review process; we had no formal complaint to invoke our investigation functions. For a full description of that case see pp 33-35 of the Privacy NSW 2002-03 Annual Report.