CURRENT PRIVACY LAW – from an agency perspective
___________________________________
The Privacy and Personal Information Protection Act 1998
The Litigation Experience of the NSW
Office of the Director of Public Prosecutions
___________________________________
Paper delivered at the Government Lawyers CLE Convention 9.9.03
N R Cowdery AM QC, Director of Public Prosecutions (NSW)
_________________________________________________
To date the NSW Office of the Director of Public Prosecutions (ODPP) has been involved in litigation under the Privacy and Personal Information Protection Act 1998 (the Privacy Act) on four occasions. It has been asserted by three accused persons and by one police witness that the ODPP has contravened Information Protection Principles (IPP’s) relating to collection, retention, alteration, use and/or disclosure of personal information. Results to date have been mixed: one matter was settled, one matter is to be heard at the end of September 2003, one matter has been heard and judgment is reserved and the fourth was decided in favour of the ODPP.
In this paper I will discuss the lessons we have learnt from our experience to date. I expect that many of the issues raised in the litigation against the ODPP are common to other agencies and hope that you can benefit from our (at times painful, but instructive) experiences thus far.
We have identified four issues to be addressed early in the process of analysis.
Issue 1: Does the conduct involve “personal information”?
This is the first question to ask when it is asserted that your agency has breached an IPP. “Personal information” is defined in very broad terms in section 4 of the Act. (Relevant sections of the Act are attached to the back of this paper as Appendix A.) But there are a large number of exceptions listed in s.4(3). Check whether the information that your agency has dealt with falls within one of them.
The issue may be illustrated by a case in which the ODPP is involved.
In F v ODPP (to be heard later this year), the ODPP intends to argue that the information disclosed, which was a police brief of evidence, was not “personal information” because this brief falls within the exemption for “information or an opinion about an individual’s suitability for appointment or employment as a public sector official” (see s.4(3)(j)).
The background to the matter is as follows.
On 1 April 2001 F was charged with two counts of sexual intercourse without consent. At the time of the alleged offences F was employed as an ambulance officer by the Ambulance Service. Both offences were alleged to have occurred in the back of an ambulance. The first offence was alleged to involve the wrongful administration of a drug to the complainant and another woman. The police informant subsequently prepared a brief of evidence which was submitted to my Office. Following consideration of this brief and representations by F’s solicitors, the prosecution was withdrawn on 9 January 2002. At the time of withdrawal, no material had been tendered to the court.
On 5 April 2001 pursuant to clause 17 of the Ambulance Services Regulation 2000 (“AS regulation”) the Chief Executive Officer of the Ambulance Service appointed Wendy Klaassen to conduct an inquiry into six alleged breaches of discipline by F, being misconduct within the meaning of the AS regulation. The allegations which were the subject of the two criminal charges were related to at least one of the breach of discipline charges being inquired into by Ms Klaassen.
On 14 December 2001 Ms Klaassen wrote to an ODPP office requesting that a copy of the brief of evidence be forwarded to her to enable her to conduct the inquiry. An ODPP lawyer, after receiving a letter indicating that the police had no objection to the disclosure of the brief, forwarded the brief to Ms Klaassen.
F subsequently requested the ODPP to conduct an internal review. F sought a formal apology and remedial action. The internal reviewer concluded that the provision of the brief to Ms Klaassen, although done in good faith, was in breach of the disclosure IPP in s.18 of the Act. The ODPP formally apologised to F for breaching his privacy and undertook to direct all staff not to take such action in the future.
F subsequently applied to the Administrative Decisions Tribunal (“the Tribunal”) for review of the conduct of the ODPP, complaining of breach of the disclosure IPP’s. The application also named the Ambulance Service as a respondent and complained about the collection of personal information by the Ambulance Service in breach of ss.8 and 11 of the Act (the application for review of the conduct of the Ambulance Service is being considered separately from the proceedings concerning the ODPP).
The information contained in the brief of evidence included personal information relating to F and others, within the general definition in s.4(1). In view of advice received from the Crown Solicitor, the ODPP intends to argue in the Tribunal that the information falls into the category of information excluded from the definition of personal information by s.4(3)(j), as it was information about F’s “suitability for employment as a public sector official”.
The ODPP relies upon the remarks of O’Connor P in Y v Director General, Department of Education and Training [2001] NSWADT 149 at [28] – [38]. In that case the relevant information related to an enquiry into the affairs of a school and the conduct of a particular assistant teacher. The decision confirmed that information about a person’s ongoing suitability to remain in employment falls within the scope of the phrase “Information about suitability for employment”. The definition is not restricted to information relating to the initial act of employing an individual.
The crucial test is “whether having regard to the content of the information in issue and the context in which it is found it can reasonably be said to be `about an individual’s suitability for appointment or employment’”.
The ODPP asserts that although the brief of evidence was generated prior to the disciplinary enquiry and related to criminal charges, in the context in which it was given to the Ambulance Service, the brief became information relevant to a disciplinary enquiry into F’s continued suitability to remain in the employ of the Service.
It is evident from Y’s case that information about an offence can become “information about an individual’s suitability for employment as a public sector official” when it is collected in a particular context. The ODPP will argue that the decision in Y confirms that s.4(3)(j) does not apply only to information that is expressly addressed to the question “Is this person suitable for continuing employment”. Such a restrictive interpretation would unduly restrict the operation of
s.4(3)(j) and would undermine the objective of the exemption, which is to ensure that public sector agencies have the opportunity to properly investigate and evaluate matters relating to the suitability of their employees.
In this respect F’s case will be a very significant one. The exemption in s.4(3)(j) is applicable to personal information held by all public sector agencies and the interpretation of it will accordingly have general application.
Issue 2: Identify the relevant IPP
This is stating the obvious; but some complaints can cover a lot of ground, not all of it concerned with the conduct proscribed by the Privacy Act.
Identify which of the 12 IPP’s your agency is said to have breached and in what way/s. Where you have received a request to conduct an internal review, work your way through the complaint in a systematic way and analyse it in terms of the IPP’s. Unless you do this, you will not be able to identify the exemptions which potentially exonerate your agency.
One other matter to be aware of is the trigger for an internal review. The complaint that you receive about your agency’s conduct may not expressly ask for an internal review to be conducted. However, it does not have to. So long as it satisfies the matters listed in s.53(3), you must conduct an internal review. Don’t forget that you are then obliged to advise the Privacy Commissioner and keep him/her advised of the progress of the review, its findings and the action taken (s.54).
Issue 3: Identify the exemptions applicable to your agency
As you know, the Act contains many exemptions from the IPP’s. Some exemptions apply to all agencies and others apply to a class of agencies (for example designated investigative agencies or law enforcement agencies) and some apply to specific agencies only.
We have found it of great assistance to devise a table which lists each IPP and, beside that IPP, the exemptions which apply to the ODPP. The ODPP is defined as a “law enforcement agency” and so additional exemptions apply to it. As a guide only, a copy of the table developed by the ODPP is attached at Appendix B.
A table of this kind provides a ready tool in analysing whether the conduct of your agency has in fact breached the Act.
Also bear in mind that any agency may develop a privacy code of practice, which, inter alia, can exempt the agency from compliance with an IPP (s.30). The code must be approved by the Privacy Commissioner and the Attorney General. The ODPP has developed a very limited code applicable to specific disclosures.
Also note that the Privacy Commissioner may make written directions that an agency is not required to comply with an IPP: see s.41. The various directions issued to date are published on the Commissioner’s website. Check these, as the result may be that your agency has not contravened the Act.
Issue 4: Consider whether the exemption applies to the relevant conduct
Much of the litigation in which the ODPP has been involved has turned on this issue.
Examples of the situations we have faced are:
1. when a District Court Judge says that he refuses to accept a medical certificate tendered by the prosecution on behalf of an absent witness and requires the doctor to fax a complete medical report to the court within 2 hours, how can the ODPP obtain the further medical report without breaching the Privacy Act?
2. when a police officer obtains personal information under an invalid subpoena and provides it to a Crown Prosecutor, what is s/he to do to avoid breaching the Privacy Act?
3. can the ODPP provide a police brief of evidence about an accused person to his employer (which is a public sector agency), without breaching the disclosure principles in the Act?
_________________________________________________________________
To illustrate the relevant principles and exemptions, I will now turn to the litigation in which the ODPP has been involved to date.
1 GV v ODPP [2003] NSW ADT 177
(a) Alleged Breaches
This case involved an application pursuant to s.55 of the Act for a review of the conduct of the ODPP in dealing with personal information in a medical certificate relating to the applicant police officer. The applicant alleged that the ODPP had contravened two IPP’s relating to the collection of personal information. GV sought orders including damages pursuant to s.55(2)(a) of the Act. The ODPP contended that it had not breached the Act and, in the alternative, that the ODPP was exempt from compliance with the IPP in s.9.
(b) The Facts
The facts in the matter were largely uncontested. GV was a NSW police officer who was the informant in criminal proceedings being conducted by the ODPP. GV advised an ODPP clerk that he was unavailable to attend court from March – June 2002. GV was booked into hospital at this time in order to undergo major abdominal surgery and did not wish his employer (the NSW Police) or any other person to be advised as to the exact nature of the surgery or the medical reason for it.
GV was later advised by the ODPP that the trial in which he was a witness was listed to commence on a particular day in April 2002. GV contacted the ODPP clerk and advised that he was not available during that period. He was asked to provide a medical certificate and did so. This certificate stated that he was booked for major surgery on 11 March 2002 and would be unfit for work from that date to 11 July 2002 inclusive.
The ODPP filed a Notice of Motion seeking that the trial date in April be vacated. The application was supported by an affidavit from a prosecutor, attached to which was the medical certificate provided by GV. After the tender of the medical certificate, the presiding judge stated as follows: “I refuse to accept this certificate… this certificate is worthless. I require to know, and the doctor should know, that the court would require something over and above `is booked for major surgery’. For what?” The Crown Prosecutor indicated that he could not go beyond the affidavit or the certificate. The judge then said: “Well I require the doctor to fax a complete report to this court by 1pm today”. His Honour stood the matter down until 1 o’clock.
Present in court when the judge made these remarks were the ODPP instructing solicitor and an ODPP clerk. The solicitor asked the clerk to relay details of the judge’s order to the office managing lawyer. The clerk informed the managing lawyer that: “Judge [name] has ordered that a further medical report about the condition of [GV] be obtained and tendered to the court”. The managing lawyer asked the clerk to contact the doctor and obtain the requested report, which she did. In her discussions with the doctor, she conveyed that he had been ordered to provide a further medical report to the Court by 1pm that day. He protested that his client expressly did not want the details of his medical condition or the nature of the surgery revealed to anyone. The ODPP clerk stated that the report would not be given to the applicant’s employer and it was for the court only. She suggested that he send the report to the ODPP by facsimile and she would then make arrangements to deliver it only to the Crown Prosecutor and on to the judge. The clerk said that she could arrange it so that the original report could be retrieved from the judge and returned or destroyed. The doctor said that he would prepare the report and that he trusted the court would keep it confidential. He faxed the report to the ODPP office around 1pm while the ODPP clerk attempted to contact GV by telephone. The clerk, upon receipt of the report, took it to the courthouse and gave it to the instructing solicitor and Crown Prosecutor.
At about the same time GV received a telephone call from a police officer stating that the ODPP clerk had contacted him and wanted GV to contact her. GV telephoned the ODPP office and eventually spoke with the clerk at about 1.30pm. GV was advised that the judge was not satisfied with the medical report provided earlier and had “ordered” a further report be made by the general practitioner urgently and that she had requested and obtained a further report setting out the applicant’s medical condition and the nature of the surgery (these were the matters which GV had not wanted disclosed). GV then asserted that the ODPP clerk had breached his privacy and was passed to the instructing solicitor to whom he made the same complaint.
As a result of GV’s complaint, the Crown Prosecutor was requested not to tender the second medical certificate and it was never shown to the judge. The certificate was returned to GV shortly afterwards and he retained possession of it.
The presiding judge was somewhat displeased with the failure of the Crown Prosecutor to tender the certificate and contemplated the possible summoning of GV to the court to explain the position. A senior police officer subsequently attended the court and gave evidence indicating that he was aware that GV had in March 2002 undergone major surgery and as a result was suffering an enduring, chronic, debilitating medical condition and was not expected to return to full duties until September 2002.
The presiding judge then made a number of remarks indicating that he believed that medical information was being wrongly kept from him. His Honour then reluctantly vacated the trial and requested that a transcript of his remarks be taken out and forwarded to the personal attention of the Commissioner of Police and myself.
Shortly afterwards GV lodged a complaint with my Office asserting that the IPP’s relating to collection of personal information had been breached by my officers in collecting the second medical certificate. An internal review was conducted. The reviewer found no breach of the collection IPP’s and that a relevant exemption was applicable.
Shortly afterwards GV lodged an application for review of the internal decision to the ADT. The matter was heard on 7 March 2003 and judgment delivered on 25 July 2003.
(c) The Issues
The issues were:
1. was the personal information in the 2nd medical certificate obtained by ODPP officers collected by any unlawful means in contravention of s 8(2) of the Privacy Act;
2. as the personal information was collected from the doctor in circumstances where the applicant had not authorised collection of the information from the doctor ( which was a contravention of s 9(a) of the Privacy Act), do the exemptions contained in ss 23 (2) and 25(a) of the Privacy Act apply?
(d) Onus of proof
A preliminary issue arose as to the onus of proof. The applicant submitted that no party bore an onus of proof in the ordinary legal sense of that expression. The applicant contended that he bore an initial or evidential burden of proof so as to raise a prima facie case that the relevant IPP’s were contravened and conceded that he must place sufficient material of probative value before the ADT in order to “get his case off the ground”. The ODPP submitted that the applicant bore an onus of proof and that the standard of proof applicable was the common law civil standard of proof; ie the Tribunal had to be satisfied of any breach or contravention of the IPP’s on the balance of probabilities.
The Tribunal found that ordinarily an applicant would bear an initial or evidential burden so as to satisfy the Tribunal that it should make the orders or the kind of orders sought by the applicant. However, in certain cases, where a clear or an admitted contravention had occurred, the respondent might bear an initial burden of putting its case first to the Tribunal. The Tribunal found it unnecessary to decide the applicable standard of proof in the present case as it had come to a level of satisfaction that also met the civil balance of probabilities test.
(e) Was the personal information in the medical certificate collected by unlawful means?
GV asserted that the manner in which the medical certificate was collected was not lawful, was not authorised and therefore breached s.8(2). GV contended that the request of the District Court judge for the further medical certificate was not an order but merely a request; that unless the particular collection was authorised, it was collected by an “unlawful means”. Alternatively, GV argued that if the District Court judge had made an order, it was not an order that authorised, in terms, the collection by the ODPP officers direct from the doctor. The “order” was for the doctor to provide the certificate to the court by a certain time, by specified method (facsimile transmission).
The ODPP argued that the judge had made an order for collection of the personal information in the second medical report and thus it was collected by a “lawful means”.
The Tribunal found as a fact that the presiding judge had made a request not an order.
The ODPP had also submitted that whether or not there was an order was not material – the real question was whether the ODPP officers reasonably believed there was an order. The Tribunal clearly found that each of the ODPP officers believed that the judge had made an order. However the Tribunal rejected the ODPP submission. It stated: “If there was any doubt as to whether there was a proper order, it should have been raised with the Court at the first opportunity. The officers’ belief as to whether the judge had issued an order or not is beside the point”.
The Tribunal found that the collection of the medical certificate from the Doctor by the ODPP clerk was not a collection by an unlawful means. It said:
“I do not consider that a telephone call from a DPP clerk to the doctor requesting the further medical certificate constituted an `unlawful means’ within the meaning of that expression in s 8(2). It was plainly lawful for her to pick up a telephone and make a request. It is arguable that it might have been `improper’ for the respondent’s officer to have asserted that the doctor was under an `order’ of the Court and he was `required’ to draw the certificate within the meaning of s 138 of the Evidence Act 1995 (where the District Court has a discretion to exclude evidence improperly or illegally obtained). Evidence of a doctor/patient relationship might also be excluded by a Court as being a ‘protected confidence’ by s 126B of the Evidence Act 1995. It might also be that the collection was not ‘authorised’ in the sense that there was no formal order supporting it. However, none of these matters goes so far as to establish that the collection of the relevant information was by ‘unlawful means’ “.
(f) Was the collection of the information in breach of s. 9(a)?
Section 9(a) requires that a public sector agency must collect the information directly from the individual to whom the information relates unless the individual has authorised the collection from someone else. Plainly the ODPP collected the information from GV’s doctor without GV’s authorisation. If no relevant exemption applied, then the ODPP would have contravened the IPP in s.9.
Section 23(2) of the Privacy Act provides that an agency is not required to comply with s.9 of the Act if the information is collected “in connection with” Court or tribunal proceedings. GV submitted that read literally the provision created an exemption to s.9 that was too wide and asked the Tribunal to construe it narrowly. The Privacy Commissioner also submitted that all exemptions should be narrowly construed. GV suggested that the expression related only to the parties directly affected in the matter and not to third parties or witnesses in the proceedings.
The Tribunal agreed with the ODPP’s submission that the provisions should be construed according to their ordinary meaning and that there was no basis for construing the section as narrowly as GV suggested. The section does not apply to exempt the whole of the IPP’s. It only targets and exempts specific collections that would otherwise be in breach of s.9. There was no compelling reason for the Tribunal to accord such a narrow construction having regard to the specific, considered and clear nature of the provision.
The doctor was being asked at the judge’s request to provide evidence as a witness in an interlocutory application that arose directly in court proceedings. If he refused, he could have been made the subject of a subpoena. Had that occurred, s.6 of the Privacy Act (which relates to judicial functions) might well have applied.
The Tribunal held that the exemption was made out and that the ODPP conduct that would otherwise have contravened s.9 was exempt by the operation of s.23(2) of the Act.
The ODPP also relied on another exemption in s.25(a) of the Privacy Act. This provides that a public sector agency is not required to comply with s.9 (and a number of other sections) if the agency is lawfully authorised or required not to comply with the principle concerned, or if non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated under an Act or any other law). The Tribunal noted that given its views as to the application of s.23(2) the ODPP could arguably be said to have been “lawfully authorised not to comply with the principle in s.9”. The Tribunal said that to the extent that the ODPP’s arguments on this provision relied on the District Court request as being an order, the exemption in s.25(a) would not apply.
The application was dismissed.
(g) Internal Agency Disclosure
In its early stages this case also raised the issue of whether disclosure within an agency: ie from one ODPP officer to another: was conduct to which the IPP’s applied. The Privacy Commissioner filed written submissions asserting that the Act did apply to intra-agency disclosure. GV did not pursue this aspect, so the issue was not litigated.
2 J v ODPP, NSW Police and Illawarra Area Health Service [No 23217 of 2003]
(a) Alleged Breach
This matter was heard by the Tribunal on 4 August 2003. The decision is reserved at the time of preparing this paper. The applicant claims that the ODPP has breached the IPP’s relating to the retention and security of personal information (s.12), use (s.17) and disclosure (s.18). The applicant J seeks an order for compensation, an order restraining the DPP from contravening the Act, an order requiring the performance of relevant IPP’s, an order requiring correction of personal information and an order requiring the DPP to take specified steps to remedy loss and damage suffered by the applicant.
(b) The Facts
The alleged breaches by the ODPP arise from criminal proceedings being conducted by the DPP against the applicant J for a number of driving offences. During preliminary submissions at J’s trial the Crown Prosecutor formed the view that the defence intended to raise evidence as to the good character of J. He then instructed the police officer in charge S to obtain any material relevant to the previous conduct of J and as to J’s general conduct and behaviour. (The prosecution can adduce such character evidence in certain cases).
The OIC S drafted a number of documents which purported to be subpoenas relating to the District Court. However, the documents were not sealed by the Court and were not in fact subpoenas. S served the documents on a number of public sector health agencies. In each case S indicated that the documents should be provided directly to her (rather than the District Court). As a consequence S took possession of a number of documents relating to J.
During an adjournment in the trial S met the Crown Prosecutor outside the Court and indicated that she had obtained a folder of material and had flagged the documents which she thought might be useful to the case. The Crown Prosecutor gained the impression that the material related to J’s character. The Crown Prosecutor assumed that the material had been legitimately obtained through subpoena. The Crown Prosecutor asked S to make photocopies of the material and provide it to the defence. The Crown Prosecutor later informed defence counsel in court that the police had obtained damaging evidence about the accused and that copies would be provided as soon as they were available.
At the next adjournment the OIC S provided the Crown Prosecutor with the requested material. At the direction of the Crown Prosecutor S then provided a copy of the material to defence counsel. Defence counsel subsequently warned the Crown Prosecutor that, as he believed the material in question may have been illegally or improperly obtained, the Crown Prosecutor should not read it. The Crown Prosecutor did not read it. At the conclusion of the day’s proceedings he conferred with me and at my direction the documents were placed in an envelope and sealed.
The sealed envelope was handed over to the court when it next sat. The Crown Prosecutor informed the presiding judge in court of the circumstances in which the material had been obtained. At a subsequent voir dire the court heard evidence from the OIC S concerning the obtaining of the material. The court treated the material as being illegally or improperly obtained evidence which had come into the possession of the court. The presiding judge ordered that both parties could look at the material in order to determine which documents they proposed to use in the proceedings. The Crown sought an order from the judge permitting the use of 5 documents from the bundle in question. His Honour allowed the Crown to use 4 of the documents.
While the material was initially in the Crown Prosecutor’s custody, he did not read the documents or show them to any other person before access was subsequently allowed by order of the presiding judge. The Crown’s instructing solicitors did not read the documents in question prior to access being granted by the court.
The applicant J subsequently requested the DPP to review its conduct regarding the “reading, handling and use” of personal information relating to J. The internal reviewer concluded that the actions of the Crown Prosecutor and the instructing solicitors did not breach the Act. Subsequently J lodged an application to the ADT asserting that ss.12, 17 and 18 had been breached.
The conduct of officers of the Illawarra Area Health Service (IAHS) and NSW Police in these matters was also the subject of internal reviews. On 12 September 2002 the IAHS issued a preliminary apology to the applicant concerning the conduct of its officers. Subsequently the IAHS sent the applicant a report of its internal review which concluded that the agency had not breached the Privacy Act. The NSW Police have also advised that the police have not breached the Act.
(c) Did the ODPP hold personal information relating to J and, if so, when?
A Crown Prosecutor is not an employee of the ODPP. He or she is an independent statutory officer appointed under the Crown Prosecutors Act 1986. However, the Crown Prosecutor was appearing for the DPP at J’s trial. Accordingly any information in the possession or control of the Crown Prosecutor is taken to have been “held” by the ODPP under s.4(4)(b) of the Act. The fact that the ODPP “held” the relevant personal information is sufficient to attract the operation of ss. 12, 17 and 18 (which apply to agencies that “hold” personal information).
There was no dispute that the material obtained by the OIC S contained “personal information” within the meaning of s.4 of the Act.
The next issue is: at what point in time is the personal information relating to J “held” by the ODPP? Section 4 (4) of the Act provides that personal information is “held” by an agency if, inter alia, the agency is in possession or control of the information, or the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement.
The ODPP contends that the information was not held by it until the Crown Prosecutor took possession of the relevant material from S. It has been argued by J that the DPP is responsible for the manner in which S collected and stored and used the personal information obtained under the “subpoenas”. The ODPP asserts that while the information was in the possession of S, the ODPP did not have “control” of the information as envisaged by s.4(4). The OIC S did not receive specific directions from the DPP or the Crown Prosecutor as to how to obtain, secure, collate and deal with information relating to character. S was only given the general task of investigating the issue of J’s character.
(d) Did the ODPP breach section 12?
Under s.12(c) the DPP was required to ensure that from the point of receipt by the Crown Prosecutor the personal information was protected “by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure and against all other misuse”.
After receiving the folder of documents, the Crown Prosecutor returned to court and placed the folder on the bar table in court while proceeding with his conduct of the trial. After court concluded the Crown Prosecutor took the folder of documents to his meeting with me. He then placed the folder into a large envelope and sealed it. He handed over the sealed envelope to the court at the first available opportunity. While the documents remained in his custody the Crown Prosecutor did not read the documents or allow any other person to access them.
The ODPP contends that this conduct satisfies the IPP.
(e) Did the ODPP breach the “use” principles in s 17 of the Act?
The first issue is whether the ODPP “used” the information in the sense referred to in s.17. The concept of “use” is not specifically defined in the Act. However the scheme of Part 2 suggests distinctions between collection, storage, use and disclosure. The Act applies entirely different exemptions depending on whether the conduct in question involves “use” or “disclosure”. The ODPP contends that the Act assumes that there is (at least in most cases) no overlap between these principles in terms of their application to particular conduct. The ODPP argues that where conduct is properly described as “disclosure” then that conduct would not also fall within the concept of “use” of personal information. Different IPP’s apply to each situation.
The ODPP relies on the case of FM v Vice Chancellor, Macquarie University [2003] NSW ADT 78. In that case Henessy at 42 referred to the meaning of “use” in s.17 as follows: “The plain and ordinary meaning of the word use in [s.17] is `to avail oneself of; apply to one’s own purposes’: … Macquarie [University] did not avail itself of or apply any of the information in dispute for its own purposes in these proceedings. It merely disclosed that information to a third party”.
The ODPP argued that the Crown Prosecutor’s action in disclosing the personal information to the court and to defence counsel did not constitute the ODPP “availing itself of the information or applying the information for its own purposes”.
If the disclosure is, contrary to ODPP submissions, held to constitute “use”, the ODPP has argued that it did not breach s.17 as the purpose for which the information was used [ie. the conduct of a criminal prosecution] was directly related to the purpose for which the information was collected. The ODPP argues that the information in question was initially collected by the police OIC for the express purpose of the criminal proceedings against J and was later collected by the ODPP from the OIC for the same purpose.
If the Tribunal is against the ODPP on this submission, one must consider what the Crown Prosecutor actually did with the subpoenaed material. He examined the bundle of documents following the determination of the presiding judge that access be granted to the parties and then used four specific documents from the bundle in the course of the trial, following the decision of the presiding judge specifically authorising such use. The Crown Prosecutor was acting in strict compliance with specific written orders made by the presiding judge which authorised his actions.
The ODPP therefore asserts that the Crown Prosecutor was exempt from compliance with s.17 by the operation of s.25 of the Act. Section 25(a) of the Act provides that a public sector agency is not required to comply with s.17 if “the agency is lawfully authorised or required not to comply with the principle concerned”. The ODPP argues that the orders of the presiding judge provided lawful authorisation for the actions of the Crown Prosecutor.
(f) Did the ODPP breach the disclosure IPP in s.18 of the Act?
The Crown Prosecutor disclosed the information provided by the OIC to defence counsel and later to the Court. The documents given to defence counsel did not come into the physical possession of the Crown Prosecutor but were provided to the defence directly by the OIC at the prosecutor’s direction. Irrespective of the finding of the Tribunal in this regard, the ODPP relies upon the exemption in s.23(5)(a) which provides that a public sector agency is not required to comply with s 18 if the disclosure “is made in connection with proceedings for an offence or for law enforcement purposes”.
In Our Town FM Pty Ltd The Australian Broadcasting Tribunal (1987) (16 FCR 465 per Wilcox J) the words “in connection with” were held to have “a wide connotation requiring merely a relationship between one thing and another. They do not necessarily require a causal relationship between the two things”. This passage was cited with approval by O’Connor P in N (No. 2) v Director General, Attorney General’s Department [2002] NSW ADT 33 at [32] in the context of interpreting analogous provisions in the Freedom of Information Act.
The Crown Prosecutor’s disclosure of material to the defence and the court was made in connection with the criminal proceedings against J. Accordingly, s.23(5)(a) applies to exempt the ODPP from compliance with s.18.
Section 25 also applies to exempt the ODPP from compliance with s.18 in this case. Rule A66 of the Advocacy Rules places an obligation on a prosecutor to disclose to the opponent specified material available to the prosecutor which could constitute evidence relevant to the guilt or innocence of the accused. By virtue of the Legal Profession Act 1987 these Rules are binding on legal practitioners. Failure to comply with the rules is capable of being professional misconduct or unsatisfactory professional conduct. Accordingly, Rule A66 of the Advocacy Rules had effect as a binding legal obligation to which the Crown Prosecutor was subject.
The ODPP argues that the Crown Prosecutor’s disclosure to the court of the same material was consistent with his duty under Advocacy Rule 62. This provides, inter alia, that a prosecutor must seek impartially to have the whole of the relevant evidence placed intelligibly before the court. The Crown Prosecutor had an obligation to provide the material to the court and to advise the court of the improprieties involved in the obtaining of the material so that the court could determine issues relating to access, use and admissibility.
To the extent that the Crown Prosecutor “disclosed” some of the personal information in question in the course of the trial (by reliance upon four documents from the bundle) after the presiding judge had made specific orders permitting access to the material and orders permitting use of certain documents, the Crown Prosecutor was lawfully authorised not to comply with the IPP’s which would otherwise have restricted such disclosure.
3 F v ODPP [No. 23294 of 2003 in the Administrative Decisions Tribunal at Sydney]
(a) Alleged Breach
This is the case referred to at the outset of this paper in which F alleges that the ODPP has breached the disclosure IPP of the Act by disclosing to an agent of the Ambulance Service of NSW a brief of evidence containing personal information relating to F. The matter will be heard in the Tribunal later this year.
(b) Was the disclosure of the brief of evidence for “law enforcement purposes”?
The ODPP intends to rely on the exemption from the disclosure IPP provided in s.23(5)(a) of the Act; ie. the exemption for disclosure made for “law enforcement purposes”. ODPP asserts that the disclosure was for such a purpose, being for the specific purpose of facilitating the disciplinary enquiry being undertaken by the Ambulance Service to enforce the terms of the AS Regulation.
The meaning of the phrase “law enforcement” in s.23(5)(a) has not been the subject of direct adjudication by the ADT. It is therefore necessary to consider the natural meaning of the words used and whether there is anything in the Act to displace this ordinary meaning.
A narrow reading of “law enforcement” as used in s.23(5)(a) could suggest that the phrase refers only to enforcement of the criminal law. The ODPP will argue that to limit the operation in this way is to read the qualifying word “criminal” into s.23(5)(a) without clear justification. The argument to be relied upon is as follows.
Section 23(5)(a) refers to 2 alternate exemptions, namely:
1. disclosure “in connection with proceedings for an offence”; and
2. disclosure for “law enforcement purposes”.
It is a standard principle of statutory interpretation that all words must be given meaning and effect. It is presumed that Parliament did not intend to include superfluous phrases. While there may be a degree of overlap between the 2 clauses, the 2 alternatives must be interpreted as having substantial and separate operations of their own. If the phrase “law enforcement” were to be interpreted as meaning only criminal law enforcement, the clause would be rendered largely redundant (because of the existing exemption for disclosure in connection with proceedings for an offence).
The outcome before the Tribunal will be significant. A wider interpretation of “law enforcement purposes” will permit disclosure by agencies of a much broader class of information than that related only to criminal proceedings.
(c) Was the ODPP exempt from the s.18 IPP by virtue of the Privacy Commissioner’s direction under s. 41?
On 28 December 2001 the Privacy Commissioner made a direction under s.41 of the Act which applied to the ODPP. The direction had effect from 1 January 2002 to 30 June 2002, the period in which the disclosure occurred. The direction provided, inter alia:
“A relevant agency need not comply with ss … 17, 18 or 19(1) if compliance might detrimentally affect, or prevent the proper exercise of, any of the agency’s investigative functions or its conduct of any lawful investigations”.
For the purposes of the direction “investigative functions” of an agency refers to those functions that are directly related to a lawful investigation and that are necessary for the conduct of that lawful investigation.
The enquiry being conducted by the Ambulance Service into F’s alleged misconduct was specifically required under the AS Regulation (and therefore authorised by legislation). The Ambulance Service was conducting “a lawful investigation” within the meaning of the s.41 direction.
The central issue is whether the function of the ODPP in assisting the lawful investigation conducted by the Ambulance Service constituted an “investigative function” of the ODPP. Nothing in s.41 suggests that the direction applies only to the investigative function of an agency when it relates to the agency’s own investigations.
The ODPP will argue that the effect of the s.41 direction is that if compliance with s.18 by the ODPP might detrimentally affect or prevent the proper exercise of any of the ODPP’s investigative functions (including the function of assisting the Ambulance Service’s investigation) then the ODPP need not comply with s.18.
The ODPP intends to rely upon the remarks of Hennessy D P in FM v Vice Chancellor, Macquarie University [2003] NSWADT 78 at 69.
(d) Was the ODPP exempt from the operation of s.18 by virtue of s.25(b) of the Act?
The ODPP also intends to argue, in the alternative, that the s.41 direction as applied to the Ambulance Service provided indirect lawful authorisation to the ODPP, under s.25 of the Act not to comply with s.18. The ODPP argues that directions made by a Privacy Commissioner under s.41 have force under statute and may be taken to be a form of “other law” as referred to in s. 25(b).
The effect of the s.41 direction is that the Ambulance Service was not required to comply with s. 9 when collecting personal information from the ODPP, as this might have detrimentally affected the Service’s investigative functions.
(e) Costs
The ODPP intends to seek an order for the costs incurred in attending a mediation session held in a regional centre. F failed to attend the mediation and no explanation was provided by him for his failure to attend. Two officers from the ODPP attended the mediation.
The Tribunal’s power to award costs is contained in s.88 of the Administrative Decisions Tribunal Act 1997.
There is a preliminary issue as to whether the Tribunal has power to award costs in matters involving a review of conduct under the Privacy Act. The ODPP intends to rely upon remarks made in the matter of FY v Commissioner, Health Care Complaints Commission [2003] NSWADT 128 by O’Connor P at [67] – [72]. The ODPP will argue that proceedings in the Tribunal under the Privacy Act are not “proceedings for an original decision” within the exception in s.88(3) and that the general costs provisions in s.88(1) apply.
Section 88(1) provides that the Tribunal may award costs “only if it is satisfied that there are special circumstances warranting an award of costs”. The ODPP intends to rely upon the conduct of F in failing to attend the mediation and failing to provide an explanation for this conduct.
_____________________________________________________________
Other issues:
Alteration of Personal Information
The ODPP has received one application for alteration of personal information held by the ODPP pursuant to s.15 of the Act. The circumstances giving rise to the application are quite unusual.
The ODPP had conduct of a prosecution involving the applicant A. The ODPP received, unsolicited, from two other Government agencies, copies of anonymous letters relating to A. Through FOI requests made of those agencies and the ODPP, A became aware that the ODPP was in receipt of the anonymous letters.
A asserted that the anonymous letters were inaccurate in many respects and applied under s.15 for alteration of them. The anonymous letters spanned many pages and, according to A, were full of inaccuracies concerning him.
The ODPP privacy officer considered it impracticable to make alterations as sought by A. That officer reasoned that she could not discern whether the letters contained inaccuracies or not. The officer sought to proceed under s.15(2). This provides that if a public sector agency is not prepared to amend the personal information in accordance with a request, the agency must, if so requested by the individual concerned take such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought.
A rejected the ODPP privacy officer’s offer to proceed in that fashion and commenced proceedings in the Tribunal. These proceedings were ultimately settled on the basis that the ODPP would return the anonymous letters and all copies in its possession to the two agencies which had originally provided the letters to the ODPP.
_____________________________________________________________
Postscript: Disclosure of information for the purpose of obtaining legal advice or representation
There is no explicit exemption in the Privacy Act permitting the disclosure of personal information for the purpose of obtaining legal advice or representation. It is arguably implicit in the wording of s.12(2) of the Act, which states:
“A public sector agency that holds personal information must ensure that if it is necessary for the information to be given to a person in connection with a provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information”.
Such disclosure may also arguably fall within the exemption in s.25(b) and, depending upon the factual circumstances, within the exemption in s.28(3)(a). That latter section permits disclosure by a public sector agency to another public sector agency under the administration of the same Minister, if the disclosure is for the purposes of informing the Minister about any matter within that administration.
There is an exemption for disclosure for “protection of the public revenue”. It is arguable that disclosure for the purposes of defending civil litigation against the State may fall within this exemption. Alternatively it may be argued that the purpose of this exemption was to protect a defined revenue stream, or a quantified amount, rather than the State’s consolidated revenue in general.
An express exemption permitting agencies to disclose personal information to professionals (lawyers, auditors, accountants) in order to obtain their services would be highly desirable.
_____________________________________________________________
Acknowledgements
I gratefully acknowledge the assistance given in the preparation of this paper by the ODPP’s Privacy Officer, Ms Robyn Gray and from the submissions prepared by Mr Stephen Free of the Crown Solicitor’s Office, who is representing the ODPP in the matters of J v ODPP and F v ODPP.
Appendix A
RELEVANT EXTRACTS FROM THE PRIVACY ACT
3. Definitions
In this Act:
"convicted inmate" has the same meaning as it has in the Crimes (Administration of Sentences) Act 1999.
"exercise" a function includes perform a duty.
"function" includes a power, authority or duty.
"information protection principle" or "principle" means a provision set out in Division 1 of Part 2.
"investigative agency" means any of the following:
(a) the Ombudsman's Office,
(b) the Independent Commission Against Corruption,
(c) the Police Integrity Commission,
(c1) the Inspector of the Police Integrity Commission and any staff of the Inspector,
(d) (Repealed)
(e) the Health Care Complaints Commission,
(f) the office of Legal Services Commissioner,
(g) a person or body prescribed by the regulations for the purposes of this definition.
"law enforcement agency" means any of the following:
(a) the Police Service, or the police force of another State or a Territory,
(b) the New South Wales Crime Commission,
(c) the Australian Federal Police,
(d) the Australian Crime Commission,
(e) the Director of Public Prosecutions of New South Wales, of another State or a Territory, or of the Commonwealth,
(f) the Department of Corrective Services,
(g) the Department of Juvenile Justice,
(h) a person or body prescribed by the regulations for the purposes of this definition.
"local government authority" means a council, or a county council, within the meaning of the Local Government Act 1993.
"personal information" is defined in section 4.
"privacy code of practice" or "code" means a privacy code of practice made under Part 3.
"Privacy Commissioner" means the Privacy Commissioner appointed under this Act.
"public register" means a register of personal information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee).
"public sector agency" means any of the following:
(a) a government department or the Education Teaching Service,
(b) a statutory body representing the Crown,
(c) a declared authority under the Public Sector Management Act 1988,
(d) a person or body in relation to whom, or to whose functions, an account is kept of administration or working expenses, if the account:
(i) is part of the accounts prepared under the Public Finance and Audit Act 1983, or
(ii) is required by or under any Act to be audited by the Auditor-General, or
(iii) is an account with respect to which the Auditor-General has powers under any law, or
(iv) is an account with respect to which the Auditor-General may exercise powers under a law relating to the audit of accounts if requested to do so by a Minister of the Crown,
(e) the Police Service,
(f) a local government authority,
(g) a person or body that:
(i) provides data services (being services relating to the collection, processing, disclosure or use of personal information or that provide for access to such information) for or on behalf of a body referred to in paragraph (a)--(f) of this definition, or that receives funding from any such body in connection with providing data services, and
(ii) is prescribed by the regulations for the purposes of this definition,
but does not include a State owned corporation.
"public sector official" means any of the following:
(a) a person appointed by the Governor, or a Minister, to a statutory office,
(b) a judicial officer within the meaning of the Judicial Officers Act 1986,
(c) a person employed in the Public Service, the Education Teaching Service or the Police Service,
(d) a local government councillor or a person employed by a local government authority,
(e) a person who is an officer of the Legislative Council or Legislative Assembly or who is employed by (or who is under the control of) the President of the Legislative Council or the Speaker of the Legislative Assembly, or both,
(f) a person who is employed or engaged by:
(i) a public sector agency, or
(ii) a person referred to in paragraph (a)--(e),
(g) a person who acts for or on behalf of, or in the place of, or as deputy or delegate of, a public sector agency or person referred to in paragraph (a)--(e).
"publicly available publication" does not include any publication or document declared by the regulations not to be a publicly available document for the purposes of this Act.
"staff of the Inspector of the Police Integrity Commission" means:
(a) any staff employed under section 92 (1) or (2) of the Police Integrity Commission Act 1996, and
(b) any consultants engaged under section 92 (3) of that Act.
"State record" has the same meaning as in the State Records Act 1998.
"Tribunal" means the Administrative Decisions Tribunal established by the Administrative Decisions Tribunal Act 1997.
4. Definition of "personal information"
(1) In this Act, "personal information" means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
(2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics.
(3) Personal information does not include any of the following:
(a) information about an individual who has been dead for more than 30 years,
(b) information about an individual that is contained in a publicly available publication,
(c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act,
(d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth,
(e) information about an individual that is contained in a protected disclosure within the meaning of the Protected Disclosures Act 1994, or that has been collected in the course of an investigation arising out of a protected disclosure,
(f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997,
(g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry,
(h) information about an individual arising out of a complaint made under Part 8A of the Police Service Act 1990,
(i) information about an individual that is contained in a document of a kind referred to in clause 1 or 2 of Schedule 1 (restricted documents) to the Freedom of Information Act 1989 (ie Cabinet documents or Executive Council documents),
(j) information or an opinion about an individual's suitability for appointment or employment as a public sector official,
(ja) information about an individual that is obtained about an individual under Chapter 8 (Adoption information) of the Adoption Act 2000,
(k) information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection.
(4) For the purposes of this Act, personal information is "held" by a public sector agency if:
(a) the agency is in possession or control of the information, or
(b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or
(c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.
(5) For the purposes of this Act, personal information is not "collected" by a public sector agency if the receipt of the information by the agency is unsolicited.
5. Freedom of Information Act 1989 not affected
(1) Nothing in this Act affects the operation of the Freedom of Information Act 1989.
(2) In particular, this Act does not operate:
(a) to modify any exemption under the Freedom of Information Act 1989, or
(b) to lessen any obligations under that Act in respect of a public sector agency.
6. Courts, tribunals and Royal Commissions not affected
(1) Nothing in this Act affects the manner in which a court or tribunal, or the manner in which the holder of an office relating to a court or tribunal, exercises the court's, or the tribunal's, judicial functions.
(2) Nothing in this Act affects the manner in which a Royal Commission, or any Special Commission of Inquiry, exercises the Commission's functions.
(3) In this section, "judicial functions" of a court or tribunal means such of the functions of the court or tribunal as relate to the hearing or determination of proceedings before it, and includes:
(a) in relation to a Magistrate---such of the functions of the Magistrate as relate to the conduct of committal proceedings, and
(b) in relation to a coroner---such of the functions of the coroner as relate to the conduct of inquests and inquiries under the Coroners Act 1980.
8. Collection of personal information for lawful purposes
(1) A public sector agency must not collect personal information unless:
(a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and
(b) the collection of the information is reasonably necessary for that purpose.
(2) A public sector agency must not collect personal information by any unlawful means.
9. Collection of personal information directly from individual
A public sector agency must, in collecting personal information, collect the information directly from the individual to whom the information relates unless:
(a) the individual has authorised collection of the information from someone else, or
(b) in the case of information relating to a person who is under the age of 16 years---the information has been provided by a parent or guardian of the person.
10. Requirements when collecting personal information
If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following:
(a) the fact that the information is being collected,
(b) the purposes for which the information is being collected,
(c) the intended recipients of the information,
(d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided,
(e) the existence of any right of access to, and correction of, the information,
(f) the name and address of the agency that is collecting the information and the agency that is to hold the information.
11. Other requirements relating to collection of personal information
If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that:
(a) the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and
(b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.
12. Retention and security of personal information
A public sector agency that holds personal information must ensure:
(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.
13. Information about personal information held by agencies
A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
(a) whether the agency holds personal information, and
(b) whether the agency holds personal information relating to that person, and
(c) if the agency holds personal information relating to that person:
(i) the nature of that information, and
(ii) the main purposes for which the information is used, and
(iii) that person's entitlement to gain access to the information.
14. Access to personal information held by agencies
A public sector agency that holds personal information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information.
15. Alteration of personal information
(1) A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information:
(a) is accurate, and
(b) having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading.
(2) If a public sector agency is not prepared to amend personal information in accordance with a request by the individual to whom the information relates, the agency must, if so requested by the individual concerned, take such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought.
(3) If personal information is amended in accordance with this section, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the public sector agency.
16. Agency must check accuracy of personal information before use
A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.
17. Limits on use of personal information
A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:
(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.
18. Limits on disclosure of personal information
(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
19. Special restrictions on disclosure of personal information
(1) A public sector agency must not disclose personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual activities unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of the individual concerned or another person.
(2) A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales unless:
(a) a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction, or
(b) the disclosure is permitted under a privacy code of practice.
(3) For the purposes of subsection (2), a "relevant privacy law" means a law that is determined by the Privacy Commissioner, by notice published in the Gazette, to be a privacy law for the jurisdiction concerned.
(4) The Privacy Commissioner is, within the year following the commencement of this section, to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales.
(5) Subsection (2) does not apply:
(a) until after the first anniversary of the commencement of this section, or
(b) until a code referred to in subsection (4) is made,
whichever is the later.
23. Exemptions relating to law enforcement and related matters
(1) A law enforcement agency is not required to comply with section 9 if compliance by the agency would prejudice the agency's law enforcement functions.
(2) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 9 if the information concerned is collected in connection with proceedings (whether or not actually commenced) before any court or tribunal.
(3) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 10 if the information concerned is collected for law enforcement purposes. However, this subsection does not remove any protection provided by any other law in relation to the rights of accused persons or persons suspected of having committed an offence.
(4) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary for law enforcement purposes or for the protection of the public revenue.
(5) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 18 if the disclosure of the information concerned:
(a) is made in connection with proceedings for an offence or for law enforcement purposes (including the exercising of functions under or in connection with the Confiscation of Proceeds of Crime Act 1989 or the Criminal Assets Recovery Act 1990), or
(b) is to a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or
(c) is authorised or required by subpoena or by search warrant or other statutory instrument, or
(d) is reasonably necessary:
(i) for the protection of the public revenue, or
(ii) in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed.
(6) Nothing in subsection (5) requires a public sector agency to disclose personal information to another person or body if the agency is entitled to refuse to disclose the information in the absence of a subpoena, warrant or other lawful requirement.
(7) A public sector agency (whether or not a law enforcement agency) is not required to comply with section 19 if the disclosure of the information concerned is reasonably necessary for the purposes of law enforcement in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed.
25. Exemptions where non-compliance is lawfully authorised or required
A public sector agency is not required to comply with section 9, 10, 13, 14, 15, 17, 18 or 19 if:
(a) the agency is lawfully authorised or required not to comply with the principle concerned, or
(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).
28. Other exemptions
(1) The Ombudsman's Office, Health Care Complaints Commission, Anti-Discrimination Board and Guardianship Board are not required to comply with section 19.
(2) A public sector agency is not required to comply with section 19 if, in the case of health related information and in circumstances where the consent of the individual to whom the information relates cannot reasonably be obtained, the disclosure is made by an authorised person to another authorised person involved in the care or treatment of the individual. An "authorised person" is a medical practitioner, health worker, or other official or employee providing health or community services, who is employed or engaged by a public sector agency.
(3) Nothing in section 17, 18 or 19 prevents or restricts the disclosure of information:
(a) by a public sector agency to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or
(b) by a public sector agency to any public sector agency under the administration of the Premier if the disclosure is for the purposes of informing the Premier about any matter.
41. Exempting agencies from complying with principles and codes
(1) The Privacy Commissioner, with the approval of the Minister, may make a written direction that:
(a) a public sector agency is not required to comply with an information protection principle or a privacy code of practice, or
(b) the application of a principle or a code to a public sector agency is to be modified as specified in the direction.
(2) Any such direction has effect despite any other provision of this Act.
(3) The Privacy Commissioner is not to make a direction under this section unless the Privacy Commissioner is satisfied that the public interest in requiring the public sector agency to comply with the principle or code is outweighed by the public interest in the Privacy Commissioner making the direction
53. Internal review by public sector agencies
(1) A person ("the applicant") who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct.
(2) The review is to be undertaken by the public sector agency concerned.
(3) An application for such a review must:
(a) be in writing, and
(b) be addressed to the public sector agency concerned, and
(c) specify an address in Australia to which a notice under subsection (8) may be sent, and
(d) be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and
(e) comply with such other requirements as may be prescribed by the regulations.
(4) Except as provided by section 54 (3), the application must be dealt with by an individual within the public sector agency who is directed by the agency to deal with the application. That individual must be, as far as is practicable, a person:
(a) who was not substantially involved in any matter relating to the conduct the subject of the application, and
(b) who is an employee or officer of the agency, and
(c) who is otherwise suitably qualified to deal with the matters raised by the application.
(5) In reviewing the conduct the subject of the application, the individual dealing with the application must consider any relevant material submitted by:
(a) the applicant, and
(b) the Privacy Commissioner.
(6) The review must be completed as soon as is reasonably practicable in the circumstances. However, if the review is not completed within 60 days from the day on which the application was received, the applicant is entitled to make an application under section 55 to the Tribunal for a review of the conduct concerned.
(7) Following the completion of the review, the public sector agency whose conduct was the subject of the application may do any one or more of the following:
(a) take no further action on the matter,
(b) make a formal apology to the applicant,
(c) take such remedial action as it thinks appropriate (eg the payment of monetary compensation to the applicant),
(d) provide undertakings that the conduct will not occur again,
(e) implement administrative measures to ensure that the conduct will not occur again.
(7A) A public sector agency may not pay monetary compensation under subsection (7) if:
(a) the applicant is a convicted inmate or former convicted inmate or a spouse, partner, relative, friend or an associate of a convicted inmate or former convicted inmate, and
(b) the application relates to conduct of a public sector agency in relation to the convicted inmate or former convicted inmate, and
(c) the conduct occurred while the convicted inmate or former convicted inmate was a convicted inmate, or relates to any period during which the convicted inmate or former convicted inmate was a convicted inmate.
(8) As soon as practicable (or in any event within 14 days) after the completion of the review, the public sector agency must notify the applicant in writing of:
(a) the findings of the review (and the reasons for those findings), and
(b) the action proposed to be taken by the agency (and the reasons for taking that action), and
(c) the right of the person to have those findings, and the agency's proposed action, reviewed by the Tribunal.
54. Role of Privacy Commissioner in internal review process
(1) A public sector agency that receives an application under section 53 must:
(a) as soon as practicable after receiving the application notify the Privacy Commissioner of the application, and
(b) keep the Privacy Commissioner informed of the progress of the internal review, and
(c) inform the Privacy Commissioner of the findings of the review and of the action proposed to be taken by the agency in relation to the matter.
(2) The Privacy Commissioner is entitled to make submissions to the agency in relation to the subject matter of the application.
(3) The Privacy Commissioner may, at the request of the agency concerned:
(a) undertake the internal review on behalf of the agency, and
(b) make a report to the agency in relation to the application.
(4) The Privacy Commissioner is entitled to charge an appropriate fee for that service.
(5) Section 53 (7), (7A) and (8) apply in respect of an internal review that is undertaken by the Privacy Commissioner on behalf of an agency.
55. Review of conduct by Tribunal
(1) If a person who has made an application for internal review under section 53 is not satisfied with:
(a) the findings of the review, or
(b) the action taken by the public sector agency in relation to the application,
the person may apply to the Tribunal for a review of the conduct that was the subject of the application under section 53.
(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:
(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,
(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,
(c) an order requiring the performance of an information protection principle or a privacy code of practice,
(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,
(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,
(f) an order requiring the public sector agency not to disclose personal information contained in a public register,
(g) such ancillary orders as the Tribunal thinks appropriate.
(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 5 of the Administrative Decisions Tribunal Act 1997.
(4) The Tribunal may make an order under subsection (2) (a) only if:
(a) the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and
(b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.
(4A) The Tribunal may not make an order under subsection (2) (a) if:
(a) the applicant is a convicted inmate or former convicted inmate or a spouse, partner, relative, friend or an associate of a convicted inmate or former convicted inmate, and
(b) the application relates to conduct of a public sector agency in relation to the convicted inmate or former convicted inmate, and
(c) the conduct occurred while the convicted inmate or former convicted inmate was a convicted inmate, or relates to any period during which the convicted inmate or former convicted inmate was a convicted inmate.
(5) If, in the course of a review under this section, the Tribunal is of the opinion that the chief executive officer or an employee of the public sector agency concerned has failed to exercise in good faith a function conferred or imposed on the officer or employee by or under this Act (including by or under a privacy code of practice), the Tribunal may take such measures as it considers appropriate to bring the matter to the attention of the responsible Minister (if any) for the public sector agency.
(6) The Privacy Commissioner is to be notified by the Tribunal of any application made to it under this section.
(7) The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to a review under this section.
Appendix B
Privacy Act Information Protection Principles and
Exemptions Applicable to the ODPP
* Personal information is defined in s.4(1). It means “information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.” Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics.
Section 4(3) lists the exemptions - refer to the final page of this table.
** The DPP is defined as a law enforcement agency in s.3.
|
Information Protection Principles |
Exemption Provisions |
|
Division 1 Principles |
|
|
8. Collection of Personal Information* for Lawful Purposes
|
20(3) - Sections 8 to 11 do not apply in respect of personal information collected by a public sector agency before commencement of this Part. (Part 2 to commence on 1 July 2000) |
|
(a) The information is collected for a lawful purpose that is directly related to a function or activity of the agency, and |
4(5)- For the purposes of the Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited. |
|
(b) The collection of the information is reasonably necessary for that purpose. |
|
|
|
|
9. Collection of Personal Information Directly from Individual |
23. Exemptions relating to law enforcement** and related matters |
|
A public sector agency must, in collecting personal information, collect the information directly from the individual to whom the information relates unless: |
1. A law enforcement agency is not required to comply with Section 9 if compliance by the agency would prejudice the agency’s law enforcement functions. |
|
(a) The individual has authorised collection of the information from someone else, or (b) In the case of information relating to a person who is under the age of 16 years – the information has been provided by a parent or guardian of the person. |
2. A public sector agency** (whether or not a law enforcement agency) is not required to comply with Section 9 if the information concerned is collected in connection with proceedings (whether or not actually commenced) before any court or tribunal. |
|
|
20(3) - Sections 8 to 11 do not apply in respect of personal information collected by a public sector agency before commencement of this Part. (Part 2 to commence on 1 July 2000) |
|
|
25. Exemptions where non-compliance is lawfully authorised or required |
|
|
A public sector agency is not required to comply with Section 9, 10, 13, 14, 15, 17, 18 or 19 if: (a) The agency is lawfully authorised or required not to comply with the principle concerned, or |
|
|
(b) Non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998). |
|
|
26. Other exemptions where non-compliance would benefit the individual concerned 1. A public sector agency is not required to comply with section 9 or 10 if compliance by the agency would, in the circumstances, prejudice the interests of the individual to whom the information relates.
|
|
|
Code of Practice The Privacy Commissioner’s Code of Practice for Inter-agency Transfers of information modifies the principle in section 9 for referral of ministerial correspondence between agencies and for information collected by a public sector agency from another public sector agency for audit purposes.
|
|
10. Requirements When Collecting Personal Information. If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected, or as soon as practicable after collection, the individual to whom the information relates is made aware of the following: |
23(3) - A public sector agency (whether or not a law enforcement agency) is not required to comply with Section 10 if the information concerned is collected for law enforcement purposes. However, this subsection does not remove any protection provided by any other law in relation to the rights of accused persons or persons suspected of having committed an offence. |
|
(a) the fact that the information is being collected, (b) the purpose for which the information is being collected, (c) the intended recipients of the information, (d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided, (e) the existence of any right of access to, and correction of information, (f) the name and address of the agency that is collecting the information and the agency that is to hold the information. |
20(3) - Sections 8 to 11 do not apply in respect of personal information collected by a public sector agency before commencement of this Part. (Part 2 to commence on 1 July 2000) 25. Exemptions where non-compliance is lawfully authorised or required A public sector agency is not required to comply with Section 9, 10, 13, 14, 15, 17, 18 or 19 if: (a) The agency is lawfully authorised or required not to comply with the principle concerned, or (b) Non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998). |
|
|
26. Other exemptions where non-compliance would benefit the individual concerned 1. A public sector agency is not required to comply with section 9 or 10 if compliance by the agency would, in the circumstances, prejudice the interests of the individual to whom the information relates. 2. A public sector agency is not required to comply with section 10, 18 or 19 if the individual to whom the information relates has expressly consented to the agency not complying with the principle concerned. |
|
|
Code of PracticeThe Privacy Commissioner’s Code of Practice for Inter-agency Transfers modifies the principle in section 10 insofar as it applies to ministerial correspondence. |
|
11. Other Requirements Relating to Collection of Personal Information If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that: (a) the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and (b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates. |
20(3) - Sections 8 to 11 do not apply in respect of personal information collected by a public sector agency before commencement of this Part. (Part 2 to commence on 1 July 2000).
|
|
12. Retention and Security of Personal Information A public sector agency that holds personal information must ensure: |
NIL EXEMPTION |
|
(a) That the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and (b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and (c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure and against all other misuse, and (d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information. |
s.4(4) - For the purposes of this Act, personal information is held by a public sector agency if: (a) the agency is in possession or control of the information, or (b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or (c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998. |
|
13. Information about Personal Information held by Agencies A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain: |
Code of Practice The ODPP has published a Code of Practice under the Act indicating its intention to depart from the principle in section 13. The ODPP Code of Practice states: |
(a) whether the agency holds personal information, and (b) whether the agency holds personal information relating to that person, and (c) if the agency holds personal information relating to that person: i. the nature of that information, and ii. the main purposes for which the information is used, and iii. that person’s entitlement to gain access to the information. |
“In relation to all personal information received by the ODPP from a law enforcement agency or investigative agency, during the period commencing on the date of receipt of the personal information and concluding on: i. The date that a person is charged with a criminal offence or served with process initiating a criminal prosecution or proceeding; or ii. the date on which the investigative agency or law enforcement agency formally advises the ODPP that the personal information can be disclosed. |
|
|
the ODPP will not take any steps to enable a member of the public to ascertain: (a) whether the ODPP holds personal information; (b) whether the ODPP holds personal information relating to that person; and (c) if the ODPP holds personal information relating to that person: i. the nature of that information; and ii. the main purposes for which the information is used; and iii. that person’s entitlement to gain access to the information.” |
|
|
5. Freedom of Information Act not affected 1. Nothing in this Act affects the operation of the Freedom of Information Act 1989 2. In particular, this Act does not operate: (a) To modify any exemption under the Freedom of Information Act 1989, or (b) to lessen any obligations under that Act in respect of a public sector agency |
|
|
20(5) - Without limiting the generality of Section 5, the provisions of the Freedom of Information Act 1989 that impose conditions or limitations (however expressed) with respect to any matter referred to in Section 13, 14 or 15 are not affected by this Act and those provisions continue to apply in relation to any such matter as if those provisions were part of this Act. |
|
|
25. Exemptions where non-compliance is lawfully authorised or required A public sector agency is not required to comply with Section 9, 10, 13, 14, 15, 17, 18 or 19 if: (a) the agency is lawfully authorised or required not to comply with the principle concerned, or |
|
|
(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998). Note:: Definition of “held” in s.4(4) set out above next to Principle in Section 12. |
|
14. Access to Personal Information held by Agencies A public sector agency that holds personal information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information. |
5. Freedom of Information Act not affected 1. Nothing in this Act affects the operation of the Freedom of Information Act 1989 2. In particular, this Act does not operate: (a) To modify any exemption under the Freedom of Information Act 1989, or (b) to lessen any obligations under that Act in respect of a public sector agency |
|
|
20(5) - Without limiting the generality of Section 5, the provisions of the Freedom of Information Act 1989 that impose conditions or limitations (however expressed) with respect to any matter referred to in Section 13, 14 or 15 are not affected by this Act and those provisions continue to apply in relation to any such matter as if those provisions were part of this Act. |
|
|
25. Exemptions where non-compliance is lawfully authorised or required A public sector agency is not required to comply with Section 9, 10, 13, 14, 15, 17, 18 or 19 if: (a) the agency is lawfully authorised or required not to comply with the principle concerned, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998). |
|
15.Alteration to Personal Information 1. A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information: (a) is accurate, and (b) having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading. |
5. Freedom of Information Act not affected 1. Nothing in this Act affects the operation of the Freedom of Information Act 1989 2. In particular, this Act does not operate: (a) To modify any exemption under the Freedom of Information Act 1989, or (b) to lessen any obligations under that Act in respect of a public sector agency |
|
2. If a public sector agency is not prepared to amend personal information in accordance with a request by the individual to whom the information relates, the agency must, if so requested by the individual concerned, take such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought. 3. If personal information is amended in accordance with this section, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the public sector agency. |
20(5) - Without limiting the generality of Section 5, the provisions of the Freedom of Information Act 1989 that impose conditions or limitations (however expressed) with respect to any matter referred to in Section 13, 14 or 15 are not affected by this Act and those provisions continue to apply in relation to any such matter as if those provisions were part of this Act.
20(4) – Section 15, and any provision of a privacy code of practice that relates to the requirements set out in that section, apply to public sector agencies despite the State Records Act 1998. |
|
|
25. Exemptions where non-compliance is lawfully authorised or required A public sector agency is not required to comply with Section 9, 10, 13, 14, 15, 17, 18 or 19 if: (a) the agency is lawfully authorised or required not to comply with the principle concerned, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998). |
|
|
Code of PracticeUnder the Privacy Commissioner’s Code of Practice for Inter-agency Transfers alterations of and additions to personal information obtained in the process of audit may be delayed until the conclusion of the audit. |
|
16. Agency must check accuracy of personal information before use A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading. |
NIL EXEMPTION |
|
17. Limits on Use of Personal Information A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected, unless: (a) the individual to whom the information relates has consented to the use of the information for that other purpose, or |
23(4) A public sector agency (whether or not a law enforcement agency) is not required to comply with Section 17 if the use of the information concerned for a purpose other than the purpose for which it was collected is reasonably necessary for law enforcement purposes or for the protection of the public revenue.
|
|
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or (c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.
|
25. Exemptions where non-compliance is lawfully authorised or required A public sector agency is not required to comply with Section 9, 10, 13, 14, 15, 17, 18 or 19 if: (a) the agency is lawfully authorised or required not to comply with the principle concerned, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998). |
|
|
28(3) - Nothing in section 17, 18 or 19 prevents or restricts the disclosure of information: (a) by a public sector agency to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or (b) by a public sector agency to any public sector agency under the administration of the Premier if the disclosure is for the purposes of informing the Premier about any matter. Code of PracticeThe Privacy Commissioner’s Code of Practice for Inter-agency Transfers authorises the use of information by agencies for audit purposes. |
|
18. Limits on Disclosure of Personal Information 1. A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless: (a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or (b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with Section 10, that information of that kind is usually disclosed to that other person or body, or (c) the agency believes, on reasonable grounds, that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person. |
Code of PracticeThe ODPP has published a Code of Practice under the Act indicating its intention to depart from the principle in section 18 by the provision of information to the Victims Compensation Tribunal. The Code states: “Upon receipt of a formal request from the Victims Compensation Tribunal, the ODPP will formally disclose to the Victims Compensation Tribunal for use in determining whether or not to make an award of statutory compensation and in determining the amount of compensation to award, such information as the ODPP considers relevant to the issues to which the compensation assessor is required to give consideration under section 30 of the Victims Compensation Act.” As at 30 June 2000 the Privacy Commissioner has issued a draft Code which permits public sector agencies to disclose information to researchers where the disclosure would otherwise breach sections 18-19. |
|
2. If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it. |
The Privacy Commissioner has published a draft Code of Practice for Inter-agency Transfers of personal information which authorises: i. referral of ministerial correspondence between public sector agencies and provision of personal information to enable preparation of a response to ministerial correspondence; ii. disclosure by a public sector agency to another public sector agency for the purposes of audit where the information is directly related to the audit function. 23(5) A public sector agency (whether or not a law enforcement agency) is not required to comply with Section 18 if the disclosure of the information concerned: (a) is made in connection with proceedings for an offence or for law enforcement purposes (including the exercising of functions under or in connection with the Confiscation of Proceeds of Crime Act 1989 or the Criminal Assets Recovery Act 1990), or (b) is to a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police offer as a missing person, or (c) is authorised or required by subpoena or by search warrant or other statutory instrument, or (d) is reasonably necessary: i. for the protection of the public revenue, or ii. in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed. 23(6) - Nothing in subsection (5) requires a public sector agency to disclose personal information to another person or body if the agency is entitled to refuse to disclose the information in the absence of a subpoena, warrant or other lawful requirement. 25. Exemptions where non-compliance is lawfully authorised or required A public sector agency is not required to comply with Section 9, 10, 13, 14, 15, 17, 18 or 19 if: (a) the agency is lawfully authorised or required not to comply with the principle concerned, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998). |
|
|
26. Other exemptions where non-compliance would benefit the individual concerned 1. A public sector agency is not required to comply with section 9 or 10 if compliance by the agency would, in the circumstances, prejudice the interests of the individual to whom the information relates. 2. A public sector agency is not required to comply with section 10, 18 or 19 if the individual to whom the information relates has expressly consented to the agency not complying with the principle concerned. |
|
|
28(3) - Nothing in section 17, 18 or 19 prevents or restricts the disclosure of information: (a) by a public sector agency to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or (b) by a public sector agency to any public sector agency under the administration of the Premier if the disclosure is for the purposes of informing the Premier about any matter |
|
19. Special Restrictions on Disclosure of Personal Information 1. A public sector agency must not disclose personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual activities, unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of the individual concerned or another person. 2. A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales unless: (a) a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction, or (b) the disclosure is permitted under a privacy code of practice. 3. For the purposes of subsection (2), a relevant privacy law means a law that is determined by the Privacy Commissioner, by notice published in the Gazette, to be a privacy law for the jurisdiction concerned. |
23(7) A public sector agency (whether or not a law enforcement agency) is not required to comply with Section 19 if the disclosure of the information concerned is reasonably necessary for the purposes of law enforcement in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed. 25. Exemptions where non-compliance is lawfully authorised or required A public sector agency is not required to comply with Section 9, 10, 13, 14, 15, 17, 18 or 19 if: (a) the agency is lawfully authorised or required not to comply with the principle concerned, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998) 26. Other exemptions where non-compliance would benefit the individual concerned A public sector agency is not required to comply with section 10, 18 or 19 if the individual to whom the information relates has expressly consented to the agency not complying with the principle concerned. |
|
4. The Privacy Commissioner is, within the year following the commencement of this section, to prepare a code relating to the disclosure of personal information by public sector agencies to person or bodies outside New South Wales. 5. Subsection (2) does not apply: (a) until after the first anniversary of the commencement of this section (b) until a code referred to in subsection (4) is made clear, whichever is the later. |
28(2) A public sector agency is not required to comply with section 19 if, in the case of health related information and in circumstances where the consent of the individual concerned cannot reasonably be obtained, the disclosure is made by an authorised person to another authorised person involved in the care or treatment of the individual. An authorised person is a medical practitioner, health worker, or other official or employee providing health or community services, who is employed or engaged by a public sector agency. 28(3) Nothing in section 17, 18 or 19 prevents or restricts the disclosure of information: (a) by a public sector agency to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or (b) by a public sector agency to any public sector agency under the administration of the Premier if the disclosure is for the purposes of informing the Premier about any matter Code of Practice The Privacy Commissioner’s draft Code of Practice for Inter-agency Transfers of personal information authorises transfers in connection with: i. dealing with ministerial correspondence; ii. audit, but only where specific circumstances exist (as set out in the Code of Practice); iii. joint task forces. |
|
What is not personal information? (s.4(3)).
Personal information does not include:
(a) information about an individual who has been dead for more than 30 years, (b) information about an individual that is contained in a publicly available publication, (c) information about a witness who is included in a witness protection program under the Witness Protection Act 1995 or who is subject to other witness protection arrangements made under an Act, (d) information about an individual arising out of a warrant issued under the Telecommunications (Interception) Act 1979 of the Commonwealth, (e) information contained in the course of an investigation arising out of a protected disclosure, (f) information about an individual arising out of, or in connection with, an authorised operation within the meaning of the Law Enforcement (Controlled Operations) Act 1997,
|
|
|
(g) information about an individual arising out of a Royal Commission or Special Commission of Inquiry, (h) information about an individual arising out of a complaint made under Part 8A of the Police Service Act 1990, (i) information about an individual that is contained in a document of a kind referred to in clause 1 or 2 of Schedule 1 (restricted documents) to the Freedom of Information Act 1989 (ie Cabinet documents or Executive Council Documents), (j) information or an opinion about an individual’s suitability for appointment or employment as a public sector official, (k) information about an individual that is of a class, prescribed by the regulations for the purposes of this subsection. s.4(4) - For the purposes of this Act, personal information is held by a public sector agency if:
(a) the agency is in possession or control of the information, or (b) the information is in the possession or control of a person employed or engaged by the agency in the course of such employment or engagement, or (c) the information is contained in a State record in respect of which the agency is responsible under the State Records Act 1998.
s.4(5) - Personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited. |
|