21 March 2014

ACT Information Privacy Bill 2014

The ACT Government has introduced into the Territory's Legislative Assembly the Information Privacy Bill 2014 (ACT), emulating the amended Privacy Act 1988 (Cth).

The Government indicates that the "main purpose" of the Bill is
to introduce ACT privacy legislation to regulate the handling of personal information (other than personal health information) by public sector agencies in the Territory. ...
Previously the Commonwealth Privacy Act 1988, as enacted in 1994, applied to the ACT and was administered by the Privacy Commissioner on behalf of the ACT Government. The Privacy Act applied to ACT public sector agencies by virtue of section 23 of the Commonwealth Australian Capital Territory Government Service (Consequential Provisions) Act 1994. The Privacy Act also applied to the private sector in the Territory, as it does in other Australian jurisdictions.
In addition to this, the ACT has its own legislation dealing with personal health information and workplace surveillance:
  • the Health Records (Privacy and Access) Act 1997 provides a for privacy and access rights to personal health information whether it is held in the public or the private sector; 
  • the Workplace Privacy Act 2011, modelled on NSW legislation, regulates when an employer may conduct surveillance on an employee.
In acknowledging the responsibilities of ACT self-governance, and in light of the Commonwealth privacy reforms, it is timely for the ACT to consider developing its own Privacy Act applying to public sector agencies in the Territory.
This would cease the operation of the Commonwealth law in relation to public sector agencies in the Territory, leaving the Commonwealth law to cover the private sector, an approach adopted in other Australian jurisdictions, including New South Wales and Victoria.
Basis

The Government notes that "introduction of an ACT Privacy Act" was a 2012 election commitment, along with introduction of a statutory cause of action to protect against serious invasions of privacy.
Separate privacy legislation for ACT public sector agencies meets this commitment. Additional policy work on evaluating the suitability of a statutory cause of action for a breach of privacy will continue after the Australian Law Reform Commission (ALRC) report into a statutory cause of action for serious invasions of privacy that will guide the second stage of the Commonwealth’s privacy reforms is published in June 2014.
The Explanatory Statement regarding the Information Privacy Bill indicates that it
is concerned with regulating the information handling and privacy practices of ACT public sector agencies.
There are two provisions (sections 53(1) & (2)) which create criminal offences for the unauthorised and reckless use or disclosure of protected information by a public sector officer or other person who has obtained the information through their role performing functions under the Information Privacy Bill.
It is a defence to the charge of use or disclosure of protected information if the use or disclosure is authorised by a Territory law, is in relation to the exercise of a function under a Territory law, is in a court proceeding or is used or disclosed with consent of the person to whom the information relates.
The maximum penalty for these offences is 50 penalty units, imprisonment for 6 months or both. These offences are in line with the principles set out in the JACS Guide to Framing Offences and are aimed at ensuring that personal information which can come into the possession of individual public sector officers by virtue of their position in a public sector agency is not misused.
Creating offences to discourage the abuse of personal information is necessary to ensure trust in the ability of the Commissioner and other officials to responsibly manage information obtained or compelled from ACT residents by the operation of the Information Privacy Act. At the same time, the bill provides that officials cannot be held civilly liable for an act or omission done honestly and without recklessness in the exercise of a function under the Information Privacy legislation.
Coverage

What is covered? The Statement notes that " personal information for the purposes of this act"
is any information that is - ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable—
a) whether the information or opinion is true or not; and
b) whether the information or opinion is recorded in a material form or not’.
The definition has been adopted from Commonwealth Privacy Act 1988 incorporating amendments by the Commonwealth Privacy Amendment (Enhancing Privacy Protection) Bill 2012.
The amendments to the definition do not significantly change the scope of what is considered to be personal information. The definition continues to be based on factors which are relevant to the context and circumstances in which personal information is collected and held. The definition continues to be sufficiently flexible and technology-neutral to encompass changes in the way that information that identifies an individual is collected and handled.
The definition of personal information in the Act specifically excludes personal health information. The ACT’s existing Health Records (Privacy and Access) Act 1997 will continue to regulate privacy and access rights to personal health information held in the public or the private sector. ... An act or practice of a public sector agency will be an interference with the privacy of an individual where it breaches a Territory privacy principle in relation to personal information about the individual, or breaches a TPP code that binds the agency in relation to personal information about the individual. An act or practice of a contracted service provider under a government contract will be an interference with the privacy of an individual if the act or practice breaches a TPP or TPP code binding the agency which entered into the contract
The Bill enshrines several Territory Privacy Principles (TPPs), which are not an exact match for the Australian Privacy Principles (APPs) under the Commonwealth statute. They are -
TPP 1 – open and transparent management of personal information
TPP 2 – anonymity and pseudonymity
TPP 3 – collection of solicited personal information
TPP 4 – dealing with unsolicited personal information
TPP 5 – notification of the collection of personal information
TPP 6 – use or disclosure of personal information
TPP 8 – cross-border disclosure of personal information
TPPs 7 and 9 are not substantive TPPs but refer to Commonwealth APPs which are not relevant to the handling of information by public sector agencies. APP 7 prohibits direct marketing and APP 9 regulates the adoption, use or disclosure of government-related identifiers (for example, Medicare numbers and driver’s licence numbers).
TPP 10 – quality of personal information
TPP 11 – security of personal information
TPP 12 – access to personal information TPP 13 – correction of personal information
Entities addressed by the proposed legislation are -
• a Minister (ie the Chief Minister or a Minister appointed under section 41 of the ACT Self-Government Act);
• an administrative unit (ie an administrative unit established under section 13(1) of the Public Sector Management Act 1994, for example the Justice and Community Safety Directorate);
• a statutory office-holder and the staff assisting the statutory office-holder, for example the Director of Public Prosecutions, appointed under section 22 of the Director of Public Prosecutions Act 1990;
• a territory authority (ie a body established for a public purpose under an Act, other than a body declared by regulation not to be territory authority. An example is the ACT Legal Aid Commission);
• a territory instrumentality (a corporation established under an Act or statutory instrument, or under the Corporations Act, and is a territory instrumentality under the Public Sector Management Act 1994, for example the ACT Professional Standards Council established under the Civil Law (Wrongs) Act 2002;
• a territory-owned corporation or a subsidiary of a territory-owned corporation (eg the ACTEW utility);
• an ACT court (ie the Supreme Court, Magistrates Court, Coroner’s Court or a tribunal, and include a judge, magistrate, tribunal member and any other person exercising a function of the court or tribunal).
Values

The Statement goes on to note that
Privacy is a quality that emphasises human desire for personal autonomy, dignity and freedom from arbitrary or unreasonable or oppressive interference and intrusion into an individual’s personal sphere. The right to privacy and reputation is set out in section 12 of the Human Rights Act 2004. That section states that - Everyone has the right— (a) not to have his or her privacy, family, home or correspondence interfered with unlawfully or arbitrarily; and (b) not to have his or her reputation unlawfully attacked.
The right to privacy in the Human Rights Act is based on the right to privacy set out in Article 17 of the International Covenant on Civil and Political Rights (‘ICCPR’). The UN Human Rights Committee (‘UNHRC’), commenting on the right to privacy, noted that ‘as all persons live in society, the protection of privacy is necessarily relative. However, the competent public authorities should only be able to call for such information relating to an individual's private life the knowledge of which is essential in the interests of society...’
The UNHRC has stated that unlawful, in the context of the right to privacy set out in Article 17, “means that no interference can take place except in cases envisaged by the law. Interference can only take place on the basis of law, which itself must comply with the provisions, aims and objectives of the Covenant”. The protection from arbitrary interference with privacy means that the State cannot randomly or capriciously interfere with an individual’s privacy in a manner that is unrestrained or not based on demonstrable evidence. The UNHRC has stated that an interference that is lawful can be arbitrary if it is unreasonable in the circumstances. Reasonableness implies that any interference with privacy must be proportionate to the end sought and must be necessary in the circumstances of any given case.
The Information Privacy Bill supports and enhances the right to privacy by ensuring that there is a clear framework setting out how ACT public sector agencies collect, use, disclose and otherwise manage personal information. Ensuring there is a comprehensive and clearly identifiable privacy regime in the ACT means that individuals are protected from arbitrary or unlawful breaches of an individual’s right to privacy.
If breaches do occur, the Information Privacy Bill establishes mechanisms for the independent investigation and resolution of complaints and an avenue for redress through the courts. Arguably, part 4 of the Act may impose a limitation on the right to privacy by exempting some public sector agencies from the operation of the Act. The right to privacy is not absolute and may be reasonably limited by laws which can be demonstrably justified in a free and democratic society. Under section 24 an exemption for certain public sector agencies is limited in application to three non-permanent investigative bodies, plus entities prescribed by regulation, that can be established to perform important functions of inquiry, according to law. These include:
(a) a board of inquiry under the Inquiries Act 1991;
(b) a judicial commission under the Judicial Commissions Act 1994;
(c) a royal commission under the Royal Commissions Act 1991;
(d) an agency prescribed by regulation.
Section 17 of the Inquiries Act 1991; s 28 of the Judicial Commissions Act 1994 and s 20 of the Royal Commissions Act 1991 all create criminal offences for the unlawful and unauthorised collection, use or disclosure of information obtained by virtue of a person’s involvement with the inquiry or commission. These protections are stricter than those set out in the Information Privacy Bill 2014, but also appropriately tailored to the special nature and conduct of such investigations.
Under section 25 the Information Privacy Bill will not apply to the following acts and practices:
(a) for a Minister—an act done, or a practice engaged in, by the Minister other than an act done, or a practice engaged in, by the Minister in relation to the affairs of a public sector agency administered by the Minister;
(b) for an ACT court—an act done, or a practice engaged in, by the ACT court other than an act done, or a practice engaged in, by the ACT court in relation to a matter of an administrative nature;
(c) for the Office of the Legislative Assembly—an act done, or a practice engaged in, by the Office other than an act done, or a practice engaged in, by the Office in exercising a function in relation to a proceeding of the Legislative Assembly;
(d) for officers of the Assembly—an act done, or a practice engaged in, by the officer of the Assembly other than an act done, or a practice engaged in, by the officer in relation to a matter of an administrative nature;
(e) for an FOI exempt agency—an act done, or a practice engaged in, by the agency in relation to a document in relation to which the agency is exempt from the operation of the FOI Act;
(f) for an agency prescribed by regulation—an act done, or a practice engaged in, by the agency in relation to a matter prescribed by regulation.
Section 28 of the Human Rights Act states that rights can be subjected to reasonable limitations set by laws that can be demonstrably justified in a free and democratic society. These exemptions for the listed specific acts and practices are necessary for the effective operation and independence of those specified entities. The exemptions continue existing privileges for Government and the Legislative Assembly and maintain the independence of the Courts.
FOI exempt agencies have been identified as appropriately exempted from other information handling and release rules because they relate to commercial–in-confidence information or relate to personal health information. Entities exempted from the Information Privacy Act in relation to their non-administrative functions are subject to other forms of accountability and oversight which offer equivalent privacy protections in manner that is suitably adapted to allow certain public officials in specific agencies, officers and members of the Assembly and the judiciary to perform their important functions. These limitations are clearly defined and the boundaries within which practices are exempted are proportionate to the importance of supporting the functions of the exempted entities. There are no blanket exceptions for these entities, and their administrative functions still fall within the scope of the Act.
Proportionality

The Statement comments that
While the right to freedom of expression is a fundamental right, the Information Privacy Act balances the need for communication of information with the right to privacy by setting out different categories of information and imposing additional requirements for the handling of personal information and sensitive information. Other forms of information can be collected and stored without restriction, subject to other Territory or Commonwealth laws. The limitations set out in requiring public sector officials to observe the Territory Privacy Principles (TPPs) in the Act, aim to limit unauthorised use or disclosure of personal information obtained by ACT public sector agencies.
These limitations are both justified and proportionate to ensure that this information, collection of which is necessary for the proper functioning of governance, is handled in accordance with clear procedures and practices that recognise the importance of personal information to the person to which it relates. In the landmark UK case McKennitt v Ash Eady J considered the tension between freedom of expression and the privacy rights of an individual. He stated that -
It is clear that [in the UK] there is a significant shift taking place as between, on the one hand, freedom of expression for the media and the corresponding interest of the public to receive information, and, on the other hand, the legitimate expectation of citizens to have their private lives protected … Even where there is a genuine public interest, alongside a commercial interest in the media in publishing articles or photographs, sometimes such interests would have to yield to the individual citizen’s right to the effective protection of private life.
It is desirable that the broad powers of agencies to require and compel, on threat of penalty, a wide range of personal information, are restrained by a general system of checks on the fair and reasonable use and disclosure of that information.
The limitations in the TPPs are not absolute. Personal information can be used or disclosed within circumstances prescribed by the Act or other Territory laws. There are protections for use or disclosure done honestly and without recklessness by an officer in the course of performing functions under the Act. The Act establishes mechanisms for investigating and resolving alleged breaches of privacy and as part of such investigation may determine that a an act or practice was not an interference with the privacy of the individual or was authorised by law.
ACT Information Privacy Commissioner

The Bill provides for establishment of an Information Privacy Commissioner, discussed here.