28 February 2017

NSW Workplace Privacy

The Ag NSW Privacy Commissioner has tabled a 48 page report, under Privacy and Personal Information Protection Act 1998 (NSW) s 61C, on 'the legislative scope and interpretation of Employer, Employee, and Agent Responsibilities under privacy legislation'.

The Commissioner's media release states
Section 61C of the Privacy and Personal Information Protection Act 1998 (PPIP Act), enables the Privacy Commissioner to make a special report on any matter relating to the functions of the Privacy Commissioner to the Presiding Officer of each House of Parliament. “NSW privacy legislation has stood the test of time well, but there are gaps in privacy protections.” said Dr Elizabeth Coombs, A/NSW Privacy Commissioner.
“The report addresses two of these gaps – that is, protections available to individuals when public or private sector employees covered by the legislation intentionally breach privacy requirements, and when contractors to the public sector do not handle personal information lawfully”
The recommendations focus on updating legislation to close these gaps and will, if adopted, better secure the privacy rights of individuals in the NSW community.
The Commissioner introduces the report by stating
In discussing the impact of new technologies on privacy, Professor Butler commented:
While in a democratic society the state may have an interest in preserving the autonomy of its citizens from invasions of their privacy, the value of such prohibitions may depend upon the willingness of the relevant authorities to prosecute transgressions. In any event, it is the individual who has his or her dignity or autonomy affronted that has the greater interest in preventing or redressing the wrong. Any appropriate legislative response should therefore make provision for reparation for individuals who have been aggrieved by invasions of their privacy. 
Misuses of personal information and data breaches are not random events; they result from poor organisational governance and practice, and the conduct of employees and contractors. Organisations, whether public or private, generally do the ‘right thing’, as do employees and contractors, but data breach notifications and complaints to my Office are increasing. This is not isolated to NSW. In 2016, the Queensland Crime and Corruption Commission revealed that the misuse of confidential government information was not just one of the most common corruption allegations made, but an increasing percentage having almost doubled from 2014-15.
Members of the public have every right to expect that their personal information is not being placed at risk by poor organisational practices, nor accessed by or disclosed to anyone who does not have legitimate authority to use it. When such incidents occur, it is important that those affected have recourse.
NSW privacy legislation has stood the test of time well overall, but there are gaps, as outlined in my 2015 statutory report on the operation of the Privacy and Personal Information Protection Act 1998 (PPIP Act). The gaps this report focuses on, concern the action that can be taken by individuals when public and private organisations’ employees intentionally breach privacy requirements, and when public sector contractors do not handle personal information according to the legislation.
The proposed improvements entail amendments to the PPIP Act and the Health Records and Information Privacy Act, 2002 (HRIP Act) to increase the accountability of employees and contractors. The amendments are not novel; they are working successfully in other laws, and their adoption will make provision for reparation by individuals who have been aggrieved by incursions into their privacy.
The report is made as a special report to the NSW Parliament under section 61C of the PPIP Act to raise awareness of these issues and to aid the development of appropriate legislative, policy and procedural responses. Public debate and action are needed in this important area given the rapid changes the NSW public and service providers are experiencing as a consequence of the advances in digital technology.
The report is summarised as
Many areas of law regulating the responsibilities of government agencies and private service providers include provisions that require those organisations to have comprehensive systems in place for the protection of the rights of persons with whom they have dealings, for example tort, anti-discrimination, and workplace safety laws. Similarly, and additionally, laws and administrative systems are also in place to protect the property that organisations hold from corrupt exploitation by employees and their agents.
Collecting, handling, and disclosing personal and health information is a major activity in many modern organisations. As with obligations under other laws and community expectations, in order to deal with information in ways that help organisations maintain the trust of the community and avoid liabilities, an information ethics and governance framework needs to have a central place in every organisations’ culture, in prevent privacy breaches and misuse of personal and health information.
NSW privacy legislation provides mechanisms for the enforcement of the informational rights of individuals, and the prosecution of employees and agents for corrupt misuse of personal information held by the organisations that engage them. It also places obligations on the public sector to ensure its agents (such as contractors) handle personal information respectfully. But there are gaps; current NSW privacy legislation does not provide adequate protections when:
  • employees of public or private organisations commit intentional privacy wrongdoings. 
  • public sector contractors do not handle personal information according to the legislation.
This report looks at these issues and proposes legislative solutions that will better secure the privacy rights of individuals by overcoming these two shortcomings by adopting mechanisms already established in other laws.
The Commissioner's recommendations are -
1 : Amend the PPIP Act and the HRIP Act to allow victims of privacy breaches to have a right to complain against both a public sector agency and relevant employees. That is, to request that the Tribunal make employees second respondents in cases where a public sector agency claims that its data security safeguards were adequate and that the agency should not be liable for the alleged conduct of its employees who contravened privacy law.
2 : Amend the HRIPA Act to allow victims of privacy breaches to have a right to complain against both a private sector organisation and relevant employees. That is, to request that the Privacy Commissioner make employees second respondents in cases where a private sector organisation claims that its data security safeguards were adequate and that the organisation should not be liable for the alleged conduct of its employees who contravened privacy law.
3 : Base amendments of both NSW privacy statutes ( PPIP Act and HRIP Act) upon sections 36 and 37 of the Queensland Information Privacy Act 2009 and section 95B of the Federal Privacy Act 1988 to enable the public sector to choose to retain responsibility for any privacy contravening conduct of its contractors and subcontractors, or alternatively, to enter into contracts that make contractors and any subcontractors direct ly liable as if they are public sector agencies.
4: Amend section 12 of the PPIP Act and HPP5 in Schedule 1 of the HRIP Act to require public sector agencies and private organisations, as may be applicable, to have in place both proactive and reactive measures to prevent data breaches in line with section 53 of the NSW Anti-Discrimination Act 1977.

27 February 2017


‘Automated Facial Recognition Technology: Recent Developments and Approaches to Oversight’ by Monique Mann and Marcus Smith in (2017) 40(1) University of New South Wales Law Journal comments 
There has been a rapid expansion in the type and volume of information collected for security purposes following the terrorist attacks on the United States of America (‘US’) on 11 September 2001. This event has been described as precipitating a program of ‘globalized surveillance’. New technology, biometric identification and other developments such as metadata retention can provide governments with an increasingly comprehensive picture of citizens’ lives. This has resulted in a rapidly expanding use of human biometric information in law enforcement investigations and other applications.
The first part of this article describes Automated Facial Recognition Technology (‘AFRT’) and its law enforcement and border security applications, as well as integration with image sources such as closed circuit television (‘CCTV’), social media and big data. Recent developments including biometric identification documents (licences and passports) and information sharing arrangements that promote searching between  state, territory and national government databases to facilitate a national facial recognition system will be discussed. These developments are reviewed against the backdrop of tension between individual privacy rights and collective security objectives. The second part of the article examines existing privacy protections, law enforcement exemptions, and regulatory options based on an international review of current oversight models. As is often the case in relation to technological advancements, government regulation and the legal system have lagged behind, and potential regulatory approaches have not been adequately discussed in either public debate or the academic literature.
In the absence of a constitutional bill of rights or a cause of action for serious invasion of privacy in Australia, there are limited protections in relation to biometric information, and those that do exist, such as protections provided by the Privacy Act 1988 (Cth), are subject to exemptions. This has led to a significant governance gap. In order to align with international regulatory practices, the functions and funding of the Office of the Australian Information Commissioner (‘OAIC’) should be strengthened or, alternatively, a Biometrics Commissioner should be introduced.

26 February 2017


'Freedom of Information Beyond the Freedom of Information Act' by David Pozen in (2017) University of Pennsylvania Law Review comments 
The U.S. Freedom of Information Act (FOIA) allows any person to request any agency record for any reason. This model has been copied worldwide and celebrated as a structural necessity in a real democracy. Yet in practice, this Article argues, FOIA embodies a distinctively “reactionary” form of transparency. FOIA is reactionary in a straightforward, procedural sense in that disclosure responds to ad hoc demands for information. Partly because of this very feature, FOIA can also be seen as reactionary in a more substantive, political sense insofar as it saps regulatory capacity; distributes government goods in an inegalitarian fashion; and contributes to a culture of adversarialism and derision surrounding the domestic policy bureaucracy while insulating the far more secretive national security agencies, as well as corporations, from similar scrutiny. If this Article’s core claims are correct to any significant degree, then open government advocates in general, and progressives in particular, ought to rethink their relationship to this landmark law.


From ‘Kurt Riezler (1882-1955)’ by Leo Strauss in What Is Political Philosophy? And Other Studies (University of Chicago Press, 1959) 236, 260
Human dignity, Riezler suggests among other things, stands and falls by shame and awe because man's greatness is co-present in his littleness and his littleness is co-present in his greatness. It was ultimately because he grasped the meaning of shame and awe that Riezler was a liberal, a lover of privacy. By invading men's privacy one does not come to know them better - one merely ceases to see them. For man's being is revealed by the broad character of his life, his deeds, his works, by what he esteems and reveres not in word but in deed - by the stars for which his soul longs if it longs for any stars.