28 May 2024

Privacy

The Tasmanian Law Reform Institute has released its Final Report on the Review  of Privacy Law in Tasmania, following  the  Issues Paper of March 2023. The Report makes 63 recommendations for reforms.

The Institute comments that he Final Report 

adopts a broad working definition of privacy ([2.2]) which covers the overlapping categories of information privacy, privacy of communications, bodily privacy, and territorial privacy. Bodily and territorial privacy are collectively known as ‘rights to seclusion’, which is the right to have one’s physical self and one’s environment free from intrusion. 

Currently, there is no comprehensive privacy regulation in Tasmania. Rather, privacy protection is fragmented across different laws that protect different types of privacy in different specific circumstances ([2.5]). Different legislation may interact to affect privacy protections (Part 2). The applicability of regulations at the Australian federal level under the Privacy Act and the international level create further complexity in the landscape of privacy protection. Accordingly, in answer to the overarching question guiding this project, the TLRI’s view is that existing privacy laws in Tasmania are not adequately protective. 

In contemplating appropriate reforms, the TLRI considers that consistency of the Tasmanian information privacy legislation with the Commonwealth and other State and Territory legislation is desirable. This is a key issue identified in reviews elsewhere in Australia, and in submissions to this Final Report. Consistency reduces confusion, promotes information sharing and enables Tasmania to learn from the experiences in other jurisdictions. 

A statutory tort for serious invasions of privacy 

In addressing the gaps in privacy protection, together with the fragmented landscape of protection under both legislation and general law, the TLRI considers that there is a case for creating a civil statutory cause of action (and remedy) for certain interferences with privacy. The TLRI considers that the introduction of a statutory tort for serious invasions of privacy would address a significant gap in privacy protection in Tasmania that appears unlikely to be addressed in common law in the immediate term. This view is consistent with recommendations of multiple national and State-based reviews in recent years. 

A statutory tort to be enacted in a standalone Commonwealth Act, with cross-vesting of federal jurisdiction, would be the most appropriate way to introduce such a protection. However, the TLRI considers that, if the Commonwealth does not adopt the proposal of the ALRC and the Privacy Act Review in the near future, further consideration should be given to the introduction of Tasmanian legislation to create a statutory civil cause of action, or statutory tort, of privacy. 

Personal Information Protection Act 2004 (Tas) 

The primary privacy framework in Tasmania is the Personal Information Protection Act 2004 (Tas) (‘PIPA’), which binds government agencies and their contractors. It protects government-held information, primarily through prescribing 10 ‘Personal Information Protection Principles’ (‘PIPPs’) by which the entities must abide. While a detailed piece of legislation, there are multiple gaps in its scope, operation, and enforcement that can jeopardise privacy. To address these gaps, the TLRI makes recommendations relating to the scope of the information protected by: • amending the definition of personal information; • inserting into the PIPA a non-exhaustive list of circumstances to which PIPA personal information custodians will be expected to have regard in assessing whether identity is ‘reasonably identifiable’; • inserting a definition of ‘de-identified’; and • aligning the definition of ‘sensitive information’ by adding biometric information and genetic information about an individual that is not otherwise health information to the PIPA definition . 

The TLRI also make recommendations about removing exemptions or exceptions under the PIPA relating to employee information and public information. Currently, these types of information receive less than the general level of legislative privacy protection (see [4.12]). 

The TLRI also considers that a definition of law enforcement information should be included in the PIPA and that the Ministerial exemption mechanism based on a public benefit assessment in the PIPA should be amended. Further, it is the TLRI’s view that exemptions for information handling in emergency situations should be provided for in the PIPA (see [4.15]). 

In addressing the alignment of the Tasmanian privacy principles with the Commonwealth Act, the TLRI recommends a number of changes to the PIPPs and other provisions of the PIPA to enhance consistency and clarity for both individuals and personal information custodians and to respond more comprehensively to privacy risks associated with the increasing proliferation and sophistication of digital technology (see Parts 5–7). These reforms are in the areas of the collection, use and disclosure of personal information, data quality, security, access and correction, and complaints, monitoring, and enforcement (see Parts 5 and 6). 

The TLRI notes the concerns raised in multiple submissions about the privacy risks associated with emerging technology, such as facial recognition and automated decision-making. The TLRI agrees with the findings of the Commonwealth Privacy Act Review and other recent projects (such as the AHRC’s Human Rights and Technology project) that the risks associated with these technologies justify reforms to privacy legislation. There is considerable scope to strengthen the PIPA complaints process, and to make provision for remedies for breaches of the PIPA, in order to enhance privacy protections for individuals and foster personal information custodians’ compliance with the PIPA. The TLRI considers that strengthened data breach notification measures should be implemented in Tasmania; this is discussed in more detail in Part 8. Additional resources would need to be made available to assist personal information custodians to comply with data breach notification requirements. 

Other legislative provisions outside the Personal Information Protection Act 2004 (Tas) (‘PIPA’) that impact the privacy of government-held information 

Rights relating to the handling of personal information and the right to information held by government agencies are closely related. Yet, unlike in other jurisdictions, there is a lack of clarity as to the relationship between the privacy protections in the PIPA and freedom of information rights in the Right to Information Act 2009 (Tas) (‘RTI Act’). There is also uncertainty regarding the interaction of the PIPA with other legislative schemes that have provisions restricting the sharing of government-held information or providing for access to information. Accordingly, it is the TLRI’s view that there should be a close examination of the relationship between the provisions of the PIPA and other Tasmanian legislation with a view to obtaining greater harmonisation and consistency between them (see Part 9). Other legislation provides protection against multiple forms of harm to privacy interests but these are generally limited to activities or circumstances in which specific interferences with privacy might occur. These include stalking, harassment, image-based abuse (previously called ‘revenge pornography’), governmental or workplace surveillance, and handling of health information. 

In relation to the issue of the adequacy of the surveillance legislation applying in Tasmania ([10.2]– [10.11]), the TLRI notes that generally the approach under the Listening Devices Act 1991 (Tas) and the Police Offences Act 1935 (Tas) provides a broad safeguard for individual privacy. Nevertheless, the TLRI considers that there is scope to expand existing surveillance protections contained in the Listening Devices Act 1991 (Tas) to cover a broader range of technologies, such as visual and tracking devices, as exists in most other jurisdictions. 

Stalking, harassment, and bullying may in some circumstances involve interference with privacy— whether through intrusion upon seclusion (also referred to as physical privacy, meaning a person’s bodily or territorial privacy) or through the malicious use of private information against the person concerned (for example, to intimidate, blackmail, or otherwise coerce that person). As with other egregious interferences with privacy, these behaviours may cause humiliation, psychological distress, or intimidation. 

After reviewing the legislation that exists in other jurisdictions, and taking into account the submissions received, the TLRI’s view is that there are areas in which the laws that apply in relation to stalking and bullying could be strengthened in Tasmania to provide greater clarity around, and better protection for, physical privacy. There is also a need to enact State-based offences relating to distributing an intimate image without consent or threatening to distribute an intimate image. This is consistent with the National Statement of Principles relating to the Criminalisation of the Non-consensual Sharing of Intimate Images, which sets out principles for nationally consistent criminal offences.

The Recommendations are

Recommendation 1: The definition of ‘personal information’ in the PIPA should be amended to: • replace ‘about’ with ‘relating to’; and • introduce a non-exhaustive list of information that may fall within the definition of personal information. 

Recommendation 2: Further consideration should be given to: • amending the definition of ‘personal information’ by replacing ‘reasonably ascertainable’ with ‘reasonably identifiable’; and • providing further guidance for personal information custodians by inserting a non-exhaustive list of circumstances to which PIPA personal information custodians will be expected to have regard in assessing whether identity is ‘reasonably identifiable’. 

Recommendation 3: The PIPA should be amended to insert a definition of ‘de-identified’ that is consistent with the definition in the Privacy Act 1988 (Cth) and that clarifies that ‘de-identification is a process, informed by best available practice, applied to personal information which involves treating it in such a way such that no individual is identified or reasonably identifiable in the current context’. 

Recommendation 4: Further consideration should be given to whether the PIPA should be amended to: • introduce a criminal offence for ‘malicious re-identification’ of de-identified information where there is an intention to harm or obtain an illegitimate benefit; and/or • introduce a prohibition on PIPA personal information custodians from re-identifying information obtained from a source other than the individual to whom the information relates. 

Recommendation 5: The definition of ‘sensitive information’ in the PIPA should be amended to include: • biometric information used for the purpose of automated biometric verification or biometric identification; • biometric templates; and • genetic information about an individual that is not otherwise health information. 

Recommendation 6: If Recommendation 1 is implemented, the definition of ‘sensitive information’ should also be amended to replace ‘about’ with ‘relating to’. 

Recommendation 7: The definition of ‘health information’ in the PIPA should be amended to align with the definition of ‘personal information’. 

Recommendation 8: In line with developments at the Commonwealth level and the desirability of consistency with the approach in other jurisdictions, further consideration should be given to amending the PIPA to expand the definition of ‘sensitive information’ to: • include genomic information; and • include inferences about sensitive information. 

Recommendation 9: Pending the outcome of the Commonwealth Privacy Act Review, further consideration should be given to amending the PIPA to: • insert a definition of geolocation tracking data; and • specify that such geolocation tracking data can only be collected, used, disclosed, and stored with consent. 

Recommendation 10: Section 12 of the PIPA should be subject to further consultation with public authorities, to clarify whether the provision is necessary in light of other information-sharing provisions in the PIPA. 

Recommendation 11: The employee information exemptions in the PIPA should be removed. 

Recommendation 12: The public information exemption in the PIPA should be removed. Consideration should be given to ensuring that appropriate resources, guidance and transition periods are set to enable public authorities to comply with this amendment. 

Recommendation 13: A definition of ‘law enforcement information’ should be included in the PIPA.  

Recommendation 14: The public benefit exemption mechanism should be amended to either: (a) introduce a mechanism making Ministerial public benefit determinations subject to disallowance by the Parliament; or (b) if Recommendation 47 is adopted and an independent office-holder (such as an information commissioner or a privacy commissioner) is established, confer the power to make public benefit determinations on that office-holder, subject to disallowance by the Parliament. 

Recommendation 15: There should be appropriate exemptions for information handling in emergency situations in the PIPA. 

Recommendation 16: The term ‘collects’ should be defined in the PIPA, and the definition should include inferred and generated information. Recommendation 17: PIPP 1(3) should be amended to require personal information custodians to disclose who else may have access to the information once collected. 

Recommendation 18: PIPP 1 should be amended to require personal information custodians to take reasonable steps to give notice of collection at or before the time of collection or, if that is not practicable, as soon as practicable after collection. 

Recommendation 19: Further consideration should be given to the recommendations of the Commonwealth Privacy Act Review in relation to whether the PIPA requirements relating to collection notices should be amended to: • require that collection notices should be clear and understandable (including where addressed to a child) and accessible; and • require that collection notices contain additional details, such as details of the circumstances of handling where a high-risk activity is involved, information about the privacy policy and what it contains, and information about individual rights and types of information that may be disclosed to cross-border recipients. 

Recommendation 20: PIPP 1 should be amended to enable personal information custodians to collect personal information about an individual from a person other than the individual, where the individual has consented or the custodian is required by law to collect the information. 

Recommendation 21: The PIPA should be amended to insert a definition of ‘consent’ consistent with the definition of valid consent in the OAIC Guidelines on the Australian Privacy Principles. 

Recommendation 22: Guidance on the design of consent requests for online services should be available to personal information custodians. 

Recommendation 23: PIPP 1 should be amended to specify how personal information custodians should respond to receiving unsolicited information. 

Recommendation 24: Further consideration should be given to aligning the PIPA with the Privacy Act in relation to cross-border in terms of: • whether personal information custodians should be required to hold a reasonable belief that there are mechanisms for the individual to enforce existing privacy protections prior to cross- border disclosure; • whether personal information custodians should be required to expressly inform individuals that, if the individual consents to cross-border disclosure, the custodian will not be obliged to take reasonable steps to ensure the recipient does not breach the PIPP (and, per the Privacy Act Review’s further proposal, that privacy protections may not apply to the recipient); and • whether personal information custodians retain responsibility for breaches of the PIPPs after they have taken reasonable steps to ensure the recipient deals with the information consistently with the PIPPs. 

Recommendation 25: The PIPA should be amended to include a definition of ‘disclosure’ consistent with the current definition in the OAIC Guidelines on the Australian Privacy Principles. 

Recommendation 26: The PIPA should be amended to require that collection, use and disclosure of personal information must be fair and reasonable in the circumstances, in line with the recommendation of the Privacy Act Review. 

Recommendation 27: The PIPA (PIPP 1) should be amended to require personal information custodians to determine and record the purposes of collection, use, and disclosure of personal information, including any secondary uses or disclosures. 

Recommendation 28: The scope of PIPA information handling exceptions relating to requirement or authorisation under law should be clarified. 

Recommendation 29: The PIPA should be amended to state that consent to personal information handling must be ‘voluntary, informed, current, specific, and unambiguous’, in line with the proposal of the Privacy Act Review. 

Recommendation 30: The Tasmanian Government should participate in cross-jurisdictional work on the scope and harmonisation of research exceptions in privacy legislation (as proposed by the Privacy Act Review), including in relation to the introduction of a ‘broad consent’ option for research-related personal information handling. 

Recommendation 31: Further consultation with stakeholders, including children and young people and their parents and carers, should be undertaken to ensure that privacy protections under the PIPA are appropriate for children and young people and are consistent with contemporary understandings of children’s decision-making capacity. Matters for consultation may include: • whether the PIPA should be amended to specify that consent to information handling will only be valid where the individual has capacity to consent;  • whether the PIPA should be amended to establish exceptions to consent requirements where seeking consent from a parent or guardian would be inappropriate or harmful for the child or young person; and • whether guidance should be developed to assist personal information custodians to assess the capacity of children and young people on a case-by-case basis. 

Recommendation 32: Guidance on capacity and consent, including guidance on recognising and facilitating supported decision-making, should be available to personal information custodians. 

Recommendation 33: An individual ‘right to object’, with the same features as the right proposed by the Commonwealth Privacy Act Review, should be introduced in the PIPA. 

Recommendation 34: PIPP 4 should be amended, in line with the corresponding proposals of the Commonwealth Privacy Act Review, to: • provide further guidance to personal information custodians on the ‘reasonable steps’ they must take to protect personal information; • set baseline privacy outcomes personal information custodians must meet to fulfil their data security obligations; and • require personal information custodians to set and periodically review retention periods for personal information. 

Recommendation 35: Consideration should be given to whether further guidance on PIPA-compliant destruction and de-identification of personal information by personal information custodians, similar to the revised guidance proposed by the Commonwealth Privacy Act Review, is necessary. 

Recommendation 36: An individual ‘right to erasure’, with the same features as the right proposed by the Commonwealth Privacy Act Review, should be introduced in the PIPA. 

Recommendation 37: There should be a review of all Tasmanian legislation that requires retention of personal information to ensure it appropriately balances policy objectives and privacy and cyber- security risks. 

Recommendation 38: PIPP 6 should be amended to require a personal information custodian to: • provide individuals with access to their personal information upon request; • provide access to personal information in the manner requested by the individual, as long as this is reasonable and practicable, without charge; • give written notice of the reasons for a refusal to give access and the mechanisms available to complain about the refusal (which are discussed further in Part 8 of this Report); and • adopt a presumption in favour of disclosure. 

Recommendation 39: PIPP 6 should be amended to simplify the process for requesting access to personal information. These amendments should clarify the interaction of the PIPA and the RTI Act.  

Recommendation 40: PIPP 6 should be amended to confer an individual right to explanation about personal information, including a right to explanation of the source of personal information collected indirectly, and a right to an explanation or summary of what a personal information custodian has done with the personal information. 

Recommendation 41: Part 3A of the PIPA should be amended to: • modify the operation of Section 17G to enable a person to request (rather than require) the personal information custodian to add information to a notation; • require a personal information custodian to provide a written notice of a refusal of a request to add information to a notation; and • extend the right to correction in Section 17A to enable persons to request amendment of incorrect, incomplete, out-of-date or misleading information in generally available publications online over which a personal information custodian maintains control. 

Recommendation 42: Individual rights to access and explanation, to object, to erasure, and to correction in the PIPA should be subject to the exceptions proposed by the Commonwealth Privacy Act Review; namely, where: • there are competing public interests; • required or authorised by law or legal relationships; and • technically infeasible or an abuse of process. 

Recommendation 43: Personal information custodians should be required to provide ‘reasonable assistance’ to individuals in exercising a right, take ‘reasonable steps’ to respond to an exercise of a right, and respond within a prescribed timeframe, unless a longer period is justified. 

Recommendation 44: There should be greater clarity around how personal information custodians should meet the requirements of PIPP 5. This should include: • specifying the type of information that must be included in privacy policies made under PIPP 5; and • requiring personal information custodians to designate a senior employee as privacy officer responsible for compliance with the PIPA. This could be implemented by amendment to legislation or regulation, or the development of guidelines. 

Recommendation 45: The PIPA should be amended to: • require personal information custodians to specify the types of personal information that will be used in automated decision-making; and • establish a right to request meaningful information about how such decisions are made. 

Recommendation 46: Guidance should be developed to support personal information custodians to meet new requirements relating to automated decision-making. 

Recommendation 47: Consideration should be given to: • the most appropriate form that a body responsible for broadened enforcement and compliance functions under the PIPA should take; and • ensuring adequate resourcing for that body. 

Recommendation 48: Consideration should be given to the introduction of a requirement for the Ombudsman (or other complaints-handling body) to consider the appropriateness of conciliation when dealing with a complaint. There should also be jurisdiction for TasCAT to hear a complaint if the Ombudsman (or other complaints-handling body) decides that it is not reasonably possible that a complaint be conciliated successfully. 

Recommendation 49: Community consultation should be undertaken to ensure that changes to complaints and review processes under the PIPA are available and accessible to all in the community. 

Recommendation 50: Decisions of the Ombudsman (or other complaints-handling body) in relation to PIPA complaints should be reviewable by TasCAT. 

Recommendation 51: TasCAT should be empowered to make appropriate orders against personal information custodians, where all or part of a PIPA complaint has been proven. 

Recommendation 52: Consideration should be given to strengthening the enforcement regime through: • the creation of offences for certain conduct; • a civil penalty regime; and/or • the creation of additional enforcement mechanisms such as injunctions and enforceable undertakings. Guidance can be sought from the provision in other Australian jurisdictions as to the scope of the regimes. 

Recommendation 53: The power of the Ombudsman (or other complaints-handling body) to conduct investigations into breaches of the PIPPs, regardless of whether a complaint has been received, should be clarified. 

Recommendation 54: The PIPA should be amended to enable the creation of privacy codes. 

Recommendation 55: The TLRI recommends that Tasmania introduce a data breach notification scheme based on the Commonwealth model. Recommendation 56: There should be a close examination of the relationship between the provisions of the PIPA and other Tasmanian legislation with a view to obtaining greater harmonisation and consistency between them. In this review, there is a need to ensure privacy protection is maximised to the extent that is possible in balance with other policy interests. 

Recommendation 57: The Tasmanian Government should undertake a review of provisions that present legislative barriers to the sharing of information within government and with relevant non- government organisations in the interests of protecting the safety and wellbeing of children and young people, people in family violence situations, abuse of elder persons and people with disabilities. 

Recommendation 58: Consideration should be given to reform of the listening devices legislation to strengthen protections for individuals against surveillance by optical surveillance devices, tracking devices, and data surveillance devices. 

Recommendation 59: Consideration should be given to improving the resources made available to allow for independent monitoring of police use of surveillance devices by the Ombudsman. 

Recommendation 60: A review should be conducted that examines the adequacy of the existing laws relating to stalking and intimidation in Tasmania and that considers whether there is a need to amend these laws to take better account of technological advances. The following could be considered in the review: • whether the crime of stalking and bullying in the Criminal Code (Tas) Section 192 should be amended to include intimidation based on the New South Wales approach—with intimidation being defined separately from stalking—and the provision should be changed to recognise that a single act, or a pattern of behaviour, may be taken into account in the determination of stalking or intimidation; • the extent to which behaviour that amounts to harassment is adequately protected for the purposes of the Family Violence Act 2003 (Tas); and • whether the crime of stalking and bullying in the Criminal Code (Tas) Section 192 should be amended to more clearly criminalise surveillance conducted by technology; for example, by installing tracking and spyware applications on mobile phones, electronic devices, and vehicles, as well as installing covert cameras and the use of drones. 

Recommendation 61: Tasmania should, in line with other jurisdictions, enact state-based legislation to create offences of distributing an intimate image without consent or threatening of distribute an intimate image. In the creation of such an offence, the law should make it clear that the prohibition extends to the distribution (or threat to distribute) images created or modified by the use of artificial intelligence. 

Recommendation 62: There should be further consideration of necessary reforms to the PIPA, or the creation of standalone legislation, to align Tasmanian regulation with the National Health Interoperability Plan. 

Recommendation 63: If a national statutory tort is not adopted by the Commonwealth in the near future, consideration should be given to the introduction of Tasmanian legislation to create a statutory tort of privacy.