Search This Blog

Wednesday, March 05, 2014

Anything goes in NSW on trans-border disclosure of personal information

The NSW Parliament enacted the Privacy and Personal Information Protection Act in 1998.

The act came into effect two years later, allowing plenty of time to prepare, and the parliament gave the authorities (section 19) an extra year at least to take steps to develop special tailored rules in the form of a code of practice regarding trans-border disclosures. Until a code was issued, legislative provisions regarding interstate disclosure would not apply.

Thirteen years later those rules still do not exist. 

The result - no real surprise - is  a ruling in NCAT this week by Senior Member Molony (Bevege v Commissioner of Police, NSW Police Force [2014] NSWCATAD 22) that in the absence of a code the provisions of PPIPA do not apply to disclosure interstate by the Police of personal information about the applicant.

Over five years ago a Crown Solicitor opinion given to this effect in 2007 came to light and the ADT found that a teacher had no recourse under PPIPA when personal information about her was disclosed interstate.

Senior Member Molony in Bevege [at 14] noted that the absence of a code under s 19 "is a matter that the Privacy Commissioner has now taken steps to address" so wheels have ground or are grinding behind the scenes - a code is yet to appear on the IPC website.

The Applicant and the Privacy Commissioner (a change since 2008 when the then commissioner argued the opposite) submitted that as a matter of construction the ordinary limitations on disclosure in section 18 should apply to the conduct in this case even in the absence of a specific rule about  interstate disclosure. 

However Judicial Member Moloney decided he should follow earlier ADT decisions in rejecting this submission "in order to ensure consistency in decision making by the Tribunal"[23].. "There is already a considered decision determinative of the issue. The appropriate forum to seek a reconsideration of that authority is at appeal level"[26].

In an earlier decision GQ v NSW Department of Education and Training (No 2) [2008] NSWADT 319) Deputy President Handley said[14]
that section 18(1) is a general provision limiting the disclosure of personal information, whereas section 19(2) is a specific provision dealing with disclosure of personal information to a person or body outside NSW. The effect of the application of the generalia specialibus presumption, there being no indication that the presumption should not be applied, is that the specific provision - section 19(2) - prevails to the extent of any repugnancy with the general provision - section 18(1). Thus, section 18(1) does not apply in respect of the disclosure of personal information by a public sector agency in NSW, such as the Department, to any person or body in a jurisdiction outside NSW or to a Commonwealth agency.
The Applicant in Bevege contends conduct by the NSW Police involved a breach of privacy when information about her was conveyed to her employer outside the state for no apparent police related reason. 

Not mentioned in the decision is that even if s 19 applied as a result of a code of conduct, or an appeal court overruled the Tribunal on the application of s 18 to a disclosure of personal information outside NSW, the NSW Police are not subject to PPIPA except in connection with the exercise of their administrative and educative functions (Section 27(2)). 

As other complainants about NSW Police conduct have found (just one from last year) this too is a formidable hurdle in holding the police to account regarding the handling of personal information.

On that score four years ago the NSW Law Reform Commission in its report Protecting privacy in New South Wales [2010] NSWLRC 127 considered the scope of s 27[5.54]-[5.68] and concluded
"there is no justification for the current level of exemption for the NSW Police Force." 
The Commission recommended [5.4 and 5.5] removal of the immunity or a significant narrowing of its scope to bring NSW in line with Commonwealth and Victorian privacy law.

Along with a raft of other recommendations, recognised holes, gaps and other inadequacies in NSW privacy legislation, that hasn't been acted upon either. 

Sections 18 and 19 of PPIPA are reproduced below.

Senior Member Molony gave the applicant a glimmer of hope in keeping alive an argument that the Police had breached s 17 of PPIPA in the use of personal information within NSW.

18 Limits on disclosure of personal information (1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it. 19 Special restrictions on disclosure of personal information
(1) A public sector agency must not disclose personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities unless the disclosure is necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person.

(2) A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless: (a) a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction or applies to that Commonwealth agency, or
(b) the disclosure is permitted under a privacy code of practice.
(3) For the purposes of subsection (2), a "relevant privacy law" means a law that is determined by the Privacy Commissioner, by notice published in the Gazette, to be a privacy law for the jurisdiction concerned.
(4) The Privacy Commissioner is to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales and to Commonwealth agencies.
(5) Subsection (2) does not apply:
(a) until after the first anniversary of the commencement of this section, or
(b) until a code referred to in subsection (4) is made,
whichever is the later.



3 comments:

  1. Anonymous10:14 am

    The mind boggles at the illogical interpretations of this poorly drafted law, and at Parliament's inaction to fix some of these more outrageous gaps in legal protection. And just to make matters worse, did you notice that NCAT published the name of the applicant in this judgment? Only the second time that has happened in 300 NSW privacy cases since 2001, by my count. Anna J

    ReplyDelete
    Replies
    1. Anonymous6:46 am

      There has been a further illogical interpretation of the HRIP Act in ALZ v WorkCover NSW [2014] NSWCATAD 49 (24 April 2014). The Tribunal found that the Respondent was legally permitted to hold, use and disclose health information collected in contravention of HPP 3, the direct collection principle, and HPP 4, the notification principle. This interpretation, if applied to other laws, would legally entitle a bank robber to spend the proceeds of the crime because they were in possession of the money.
      In addition, the Tribunal have said that because the Respondent had no reason to doubt the accuracy of the up-to-date health information, the irrelevance and misleading nature of the information didn’t matter.
      Sadly, the background information in the Decision omitted to say that the Applicant was wrongly accused of falsifying time sheets; an error that unfairly implies that the Applicant was a dishonest employee.
      ALZ

      Delete
  2. Anna,
    I understand that the Applicant asked that her name be used -she figures she hasn't done anything wrong. But on names generally maybe a new approach coming. For starters see see the NCAT decision in Beer. Cheers.

    ReplyDelete