I argued that the proposed regime is overly broad, is contrary to the Government’s recognition of the importance of privacy and – most importantly – will foster distrust in the community about the handling of sensitive personal health information. Trust is the foundation of an effective public health regime and not something that should be disregarded on the basis of bureaucratic convenience.
My submission included the feedback that
The Government’s commitment to addressing concerns regarding dust related diseases and in particular protecting workers from harms attributable to silicosis associated with manufactured stone is commendable. The Bill however is an inappropriately broad response that is contrary to the Government’s stated commitment to privacy, has not been the subject of appropriate consultation and will erode public trust that is a foundation of the health system. The Bill is an example of deficient drafting and should be rejected.
The Bill is overly broad
The Bill seeks to authorise any sharing of data, including but not restricted to sensitive personal health data, by NSW Health with the state Workplace Health and Safety regulator (SafeWork NSW). It expressly takes that sharing outside the coverage of the NSW privacy regime. It does not feature a review mechanism. It is silent on discretion but the 2nd Reading Speech indicates that decision-making about sharing is left to the Secretary of NSW Health. The Bill is thus contrary to best practice and public trust.
A key principle in Australian and international law is that any erosion of human rights, such as privacy, must be necessary and proportionate rather than on the basis of bureaucratic convenience. Necessity requires that erosion of a right be justified by a discernible and substantive benefit for the community, as distinct from making life easier for a government agency or partner. Proportionality requires that erosion of a right not go beyond what is required to achieve a public good. A salient test is accordingly whether a particular enactment or other mechanism will do the least harm, be the least erosive.
The principle means that legislators should be wary about giving public/private sector entities the equivalent of a blank cheque, in this instance a proposed statutory authority for sharing of any NSW Health information (gathered on a statutory and/or other basis) without any restriction under NSW privacy law such as the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW).
The sharing envisaged in the Bill should be specifically restricted to silicosis-related data rather than authorising the sharing of any data.
If the expectation is that the NSW Health be authorised to share non-silicosis data (for example relating to environmental contaminants, carcinogenic chemicals and other harmful substances in the workplace) that very expansive authorisation should be clearly expressed and subject to public discussion. Such sharing should be specifically accommodated within the state’s privacy enactments and subject to external scrutiny. The 2nd Reading Speech refers to “limited personal and medical information about workers” and other workers. There is no indication in the Bill on constraints regarding that sharing, with for example no identification of the meaning of “limited”.
The overly-broad sharing – irrespective of exclusion from coverage by the Privacy and Personal Information Act and irrespective of the future Memorandum discussed immediately below – must not be regarded as a model for exclusion of privacy protection in other areas of the state’s public administration. As it stands both the Bill and inadequate process regarding its development are a disquieting precedent that should be challenged by the Committee.
Ministers have in the past used language such as “privacy is sacred” (for example in introducing legislation regarding the NSW digital driver licence scheme) and stated that the Government has a commitment to respecting privacy as one of the rights identified in a range of international human rights agreements to which Australia is a member. The basis for walking away from that commitment through an express exclusion of privacy in the Bill is unclear. ...
As things stand there are no privacy safeguards in the Bill. There is no reference in the Bill to the Memorandum. There appears to be no requirement for the Memorandum to be published (an expectation in relation to best practice in government accountability through independent scrutiny and for legitimacy regarding the ‘blank cheque’ sharing authorised under the proposed regime). There is no requirement for the Memorandum to be tabled in Parliament, although that tabling might be strongly encouraged by the Committee.
There is no indication of the justiciability of the Memorandum, for example if there is misuse that would otherwise be actionable under the privacy enactments that are expressly excluded in the Bill. There is no requirement for the Memorandum to be approved by the Information and Privacy Commission NSW. Such a requirement would provide a potential safeguard and a recognition by the Government of the function of the Commission in giving effect to the commitment to respecting privacy noted above.