AUSTRALIAN PRIVACY CHARTER COUNCIL
Proposed Code of Practice for disclosures of personal information outside New South Wales
Submission on the Consultation paper issued by Privacy NSW, April 2001
May 2001

Convenor

Australian Privacy Charter Council

Version of 30 May 2001

© Australian Privacy Charter Council, 2001

This document is at http://www.privacy.org.au/apcc/Submns/NSWPCExport0106.html


Introduction

The Australian Privacy Charter Council is known to the Privacy Commissioner - details are available at http://ww w.apcc.org.au The Council's interest in this Code arises from its broad objective of monitoring Australian privacy initiatives in the context of developing international best practice. While the Charter does not expressly include a `data export' clause or principle, both the security and use and disclosure limitation principles (14 & 15) are relevant.


Comments

Paragraph 7 suggests that disclosures outside NSW can be `authorised' by any Codes made under the PIPPA. This is surprising - we had assumed that the reference to

`a code' in s.19(2)(b) was intended to mean a (one) code dealing specifically with this issue. We can see however how the plain wording of the principle would allow authorities for disclosures outside NSW to be dispersed in a number of other Codes. We question however whether this is desirable. Presumably the Commissioner wishes to ensure that a common and consistent set of criteria are applied to `data exports'. This will be much easier to achieve and maintain if there is one source of authority (other than other legislation which takes priority by virtue of s.25).

Once the common criteria have been established, there is no reason why other Codes cannot `pick up' and repeat them, in the same way as they can re-state other Information Protection Principles so that they are a `self-contained' statement of what an agency can and can't do with personal information.

We agree with the statement in paragraph 12 that "any other code which authorises departures from section 18 and 19(1) should not be read as authorising a departure from section 19(2) unless this is explicitly stated". However, it will be clear from the above that we do not agree with paragraph 13 which states that "The provisions of the proposed [s.19?] code should as far as possible be subordinated to provisions of a code prepared by an agency." The reverse should be true.

The Draft code sets an unfortunate tone in appearing to presume that there will be a need for many exceptions. The starting point of section 19 is surely to restrict disclosures to jurisdictions where the data will be protected to an equivalent standard. Where a law provides this protection, s.19(2)(a) allows the Commissioner to give a general `approval' by determining and gazetting that law. Where no such law can be `determined', the onus is surely on the Commissioner to only approve Code provisions that ensure an `adequate' level of protection is provided in some other way. The Commissioner should be very cautious about allowing further exemptions that detract from the objective of s.19(2).

Paragraph 10 sets up a false dichotomy - authorizing all disclosures would undermine the purpose of s.19(2), while authorizing specific itemized disclosures is not the only other option. A preferable approach would be to set out criteria for against which agencies must assess proposed `data exports'.

Since one of the purposes of this section is to meet international standards, and avoid restrictions on data transfers from other jurisdictions, we suggest that the Commissioner should apply similar criteria to those published by the European Union for assessment of adequacy in relation to Articles 25 & 26 of the EU Data Protection Directive.

The fact that the breadth of the general exemptions in the Act may lead to the EU rejecting it as `adequate' for the purposes of the Directive (and other jurisdictions doing the same under their laws) should not deter the Commissioner from seeking to ensure that the implementation of the `onward transfer' provisions (s.19(2) + any determinations or codes under that section) do not provide additional grounds for rejection.

Paragraph 14 suggests that conditions be placed on recipients of information disclosed under a section 19 `authority' - similar to the restriction on other NSW agencies imposed by s.18 - to use or disclose the information only for the purpose for which it is given. This is a desirable condition, provided the disclosing agency is required to clearly and narrowly specify the purpose of release. This would then interact with any privacy law or Code in the recipient's jurisdiction (as suggested in Paragraph 14) by becoming the `purpose of collection' of the recipient.

However, it is not sufficient to impose conditions only on use and disclosure - recipients should also be required to respect other relevant principles such as quality and security. (It is less appropriate to try to `pass on' some of the principles such as collection and access and correction, as these have no direct relevance to the information disclosed.) Where the recipient's jurisdiction is subject to an adequate law (determined as a `relevant law' by the Commissioner), these obligations will apply without the disclosing agency having to take any action, but in other cases, a s.19(2)(b) Code (or codes) should require disclosing agencies to enter into either a contract or a binding agreement with the recipient, covering the relevant obligations. Clauses 5& 6 in the draft Code go some way towards this but are not adequate. Clause 5 does not specify any `content' for the memoranda with other government agencies, which should be essential.

A number of agencies/activities are suggested for exemptions in paragraph 11. As a general comment, there is insufficient information provided as to why these exceptions are required. Given that in many cases, they are already the subject of specific exemptions in the Act, better justification, with examples, is necessary to allow an assessment of their merits.

Based on the limited justification given, we offer the following specific comments on the proposed exceptions:

  1. Law enforcement (Clause 1A). This amounts to a general exception to allow virtually any transfer concerning persons of interest, `just in case' the specific circumstances do not fall within the already broad exemption in ss 23 & 27 - particularly since s.23(7) expressly deals with s.19. The reference to personnel and training is unexplained - is this to allow transfer of personal information about law enforcement officers, rather than persons of interest? It should not be the function of any codes, least of all one concerning transfers to jurisdictions without privacy laws, to facilitate disclosures which are not within exemptions specifically designed for law enforcement. If agencies can point to specific problems that the law creates the first solution should be to seek amendments to the Act which will have to be justified to the satisfaction of Parliament. Only if there is some urgent need to ensure that significant operational law enforcement activities are not impeded should the Commissioner consider specific exemptions by means of, preferably, a temporary Direction under Section 41, and only in extreme cases by a Code of Practice.
  2. Agricultural contexts (Clause 1B). This is seemingly innocuous, but it is not explained why it is not covered by an existing exemption.
  3. Revenue (Clause 1C). Similar objections to the law enforcement one
  4. Health (Clause 1D). Similar objections, maginified by the completely open-ended wording and the fact that this will cover some of the most sensitive information. Item (a) should be covered by the s.28(2) or s.26 exemptions, and most transfers under (b) and (c) by the s.25 exemption. Much more specific examples and justification is required.
  5. HR (Clause 1E). It is difficult to see why transfers for these purposes would ever be necessary without the consent, or for the benefit, of the individual concerned, and therefore covered by s.26. It is noted that this is the only one of the five suggested exceptions where conditions are mentioned, although not specified.
  6. Contracts (Clause 1F). It is unclear why this is necessary, as information in the possession of a person engaged by an agency is deemed by s.4(4)(b) to be held by the agency - in such circumstances there is arguably no disclosure. If for some reason this does not deal with the issue, this is one suggestion that we would not oppose in principle, subject to our general comments about the need for conditions.
  7. Student records (Clause 1G). Again, not clear why this would not be covered by s.25 or s.26.

Re Clause 4 - It seems illogical not to allow the exceptions in the Code apply to `sensitive' information' defined in s.19(1) if they are included in records concerned, particularly in the law enforcement case.

Re Clauses 5 & 6 - In all these cases, if they were to be included, there should be specific conditions placed on the recipient (as discussed above - including agencies of other governments), and an obligation on the disclosing agency to monitor the use of the information and enforce those conditions.

Re Clause 7 - it is not clear why the provisions of s.57 relating to public registers should not apply access by persons outside New South Wales. If it is desirable to require evidence of purpose from NSW users it is surely even more justified to require them of persons in jurisdictions without comparable privacy laws?

Re Clause 8 - This would remove the protection of s.58 in circumstances covered by Clause 1(A), (B) and (C). Surely the fact that Parliament has not seen fit to extend the effect of the exemptions - particularly ss.23 & 27 - to s.58 should make the Commissioner pause before proposing such a radical change?


Nigel Waters

Convenor
Australian Privacy Charter Council
E-mail: convenor@apcc.org.au

Navigation

Go to APCC's Home-Page.

Go to the contents-page for this segment.

Send an email to the APCC Convenor

Created: 30 July 2001

Last Amended: 30 July 2001


Sponsorship

APCC thanks its site-sponsor: