The Commissioner's media release states
Section 61C of the Privacy and Personal Information Protection Act 1998 (PPIP Act), enables the Privacy Commissioner to make a special report on any matter relating to the functions of the Privacy Commissioner to the Presiding Officer of each House of Parliament. “NSW privacy legislation has stood the test of time well, but there are gaps in privacy protections.” said Dr Elizabeth Coombs, A/NSW Privacy Commissioner.
“The report addresses two of these gaps – that is, protections available to individuals when public or private sector employees covered by the legislation intentionally breach privacy requirements, and when contractors to the public sector do not handle personal information lawfully”
The recommendations focus on updating legislation to close these gaps and will, if adopted, better secure the privacy rights of individuals in the NSW community.The Commissioner introduces the report by stating
In discussing the impact of new technologies on privacy, Professor Butler commented:
While in a democratic society the state may have an interest in preserving the autonomy of its citizens from invasions of their privacy, the value of such prohibitions may depend upon the willingness of the relevant authorities to prosecute transgressions. In any event, it is the individual who has his or her dignity or autonomy affronted that has the greater interest in preventing or redressing the wrong. Any appropriate legislative response should therefore make provision for reparation for individuals who have been aggrieved by invasions of their privacy.
Misuses of personal information and data breaches are not random events; they result from poor organisational governance and practice, and the conduct of employees and contractors. Organisations, whether public or private, generally do the ‘right thing’, as do employees and contractors, but data breach notifications and complaints to my Office are increasing. This is not isolated to NSW. In 2016, the Queensland Crime and Corruption Commission revealed that the misuse of confidential government information was not just one of the most common corruption allegations made, but an increasing percentage having almost doubled from 2014-15.
Members of the public have every right to expect that their personal information is not being placed at risk by poor organisational practices, nor accessed by or disclosed to anyone who does not have legitimate authority to use it. When such incidents occur, it is important that those affected have recourse.
NSW privacy legislation has stood the test of time well overall, but there are gaps, as outlined in my 2015 statutory report on the operation of the Privacy and Personal Information Protection Act 1998 (PPIP Act). The gaps this report focuses on, concern the action that can be taken by individuals when public and private organisations’ employees intentionally breach privacy requirements, and when public sector contractors do not handle personal information according to the legislation.
The proposed improvements entail amendments to the PPIP Act and the Health Records and Information Privacy Act, 2002 (HRIP Act) to increase the accountability of employees and contractors. The amendments are not novel; they are working successfully in other laws, and their adoption will make provision for reparation by individuals who have been aggrieved by incursions into their privacy.
The report is made as a special report to the NSW Parliament under section 61C of the PPIP Act to raise awareness of these issues and to aid the development of appropriate legislative, policy and procedural responses. Public debate and action are needed in this important area given the rapid changes the NSW public and service providers are experiencing as a consequence of the advances in digital technology.The report is summarised as
Many areas of law regulating the responsibilities of government agencies and private service providers include provisions that require those organisations to have comprehensive systems in place for the protection of the rights of persons with whom they have dealings, for example tort, anti-discrimination, and workplace safety laws. Similarly, and additionally, laws and administrative systems are also in place to protect the property that organisations hold from corrupt exploitation by employees and their agents.
Collecting, handling, and disclosing personal and health information is a major activity in many modern organisations. As with obligations under other laws and community expectations, in order to deal with information in ways that help organisations maintain the trust of the community and avoid liabilities, an information ethics and governance framework needs to have a central place in every organisations’ culture, in prevent privacy breaches and misuse of personal and health information.
NSW privacy legislation provides mechanisms for the enforcement of the informational rights of individuals, and the prosecution of employees and agents for corrupt misuse of personal information held by the organisations that engage them. It also places obligations on the public sector to ensure its agents (such as contractors) handle personal information respectfully. But there are gaps; current NSW privacy legislation does not provide adequate protections when:
- employees of public or private organisations commit intentional privacy wrongdoings.
- public sector contractors do not handle personal information according to the legislation.
This report looks at these issues and proposes legislative solutions that will better secure the privacy rights of individuals by overcoming these two shortcomings by adopting mechanisms already established in other laws.The Commissioner's recommendations are -
1 : Amend the PPIP Act and the HRIP Act to allow victims of privacy breaches to have a right to complain against both a public sector agency and relevant employees. That is, to request that the Tribunal make employees second respondents in cases where a public sector agency claims that its data security safeguards were adequate and that the agency should not be liable for the alleged conduct of its employees who contravened privacy law.
2 : Amend the HRIPA Act to allow victims of privacy breaches to have a right to complain against both a private sector organisation and relevant employees. That is, to request that the Privacy Commissioner make employees second respondents in cases where a private sector organisation claims that its data security safeguards were adequate and that the organisation should not be liable for the alleged conduct of its employees who contravened privacy law.
3 : Base amendments of both NSW privacy statutes ( PPIP Act and HRIP Act) upon sections 36 and 37 of the Queensland Information Privacy Act 2009 and section 95B of the Federal Privacy Act 1988 to enable the public sector to choose to retain responsibility for any privacy contravening conduct of its contractors and subcontractors, or alternatively, to enter into contracts that make contractors and any subcontractors direct ly liable as if they are public sector agencies.
4: Amend section 12 of the PPIP Act and HPP5 in Schedule 1 of the HRIP Act to require public sector agencies and private organisations, as may be applicable, to have in place both proactive and reactive measures to prevent data breaches in line with section 53 of the NSW Anti-Discrimination Act 1977.