recent cases: is there fragmentation of australia's public sector privacy laws? professor...
TRANSCRIPT
Recent cases: Is there fragmentation of Australia's public sector privacy laws?
Professor Graham Greenleaf
UNSW Faculty of Law - 22 May 2003
NSW Freedom of Information and Privacy Practitioners Network
Public sector privacy laws Variations so far
Commonwealth / ACT - IPPs NSW - NSW IPPs Vic & NT (and private sector) - NPPs
Superficial similarities in aims All based on life-cycle of information Significant differences in details Little case law except new NSW cases - major
differences already emerging
Examples and recent cases Collection from the data subject
DO v University of New South Wales [2002] NSWADT 211; [2003] NSW ADTAP 9
Consent exception- express or implied FM v Macquarie University [2003] NSWADT 78
Minimal collection - anonymity Wykanak v Dept Local Govt [2002] NSWADT 208 FH v NSW Dept Corrective Services [2003] NSWADT 72
Are records required before Acts apply? FM v Macquarie University [2003] NSWADT 78
Collection from the data subject Some laws require collection from the data subject,
but they differ considerably Cth IPPs impose no obligation to do collect from the
individual, no consent needed to collect from 3rd Ps NPP 1.4 requires collection only from individual ‘if it is
reasonable and practicable to do so’ NSW s9 requires collection directly from individual unless
3rd P collection is authorised by the individual; or Provided by parent/guardian if under 16
DO v University of New South Wales [2002] NSWADT 211 UNSW did have authorisation to collect from 3rd Ps Iillustrates risks under NSW Act It is OK to ‘double check’ with a 3rd P - collection from both
Consent exception Cth IPPs and NPPs - implied consent
‘express consent or implied consent’ (Cth PA s6, also Vic) Consent must also be informed ( meaning of ‘consent’) Can consent be implied from failure to opt out?
NSW s26(2) requires express consent Failure to opt out could never be good enough
FM v Macquarie University [2003] NSWADT 78 Consent to UNSW to collect transcript from UNSW was implied
consent to Macquarie to disclose it, but that is not express consent Cf NZ requires ‘authorization’
NZ Courts (L v J, L v L) have held this includes implied authorizations (see Roth article)
Minimal collection - anonymity NPP 8 - ‘Wherever lawful and practicable, individuals must have the
option of not identifying themselves when entering transactions with an organisation’ - no direct NSW equiv.
Is it a breach to build systems which make anonymity impracticable? Does NPP8 require anonymity to be ‘designed in’?
FH v NSW Dept Corrective Services [2003] NSWADT 72 - Equivocal on whether breach of security principle where it would
cost millions for Dept to change system to log accesses Wykanak v Dept Local Govt [2002] NSWADT 208 (summary)
ADT could not review a complaint of an anticipated breach of a NSW IPP
Compare Cth IPPs or NPPs - s98 Injunctions available where ‘a person … is proposing to engage in any conduct that … would constitute a contravention of this Act’
'Records' / 'documents’ Significance in Commonwealth Privacy Act
Cth IPPs all require information in ‘records’ or a ‘generally available publication’
NPPs don’t, but s16B has same effect One of the dividing lines between information
privacy and surveillance laws Problems - compare Cth and NSW results
Interview with no notes taken CCTV with no film Listening device with no recording
'Records' / 'documents’ (2) Other jurisdictions requiring records / documents
Victoria S3 definition ‘personal information’ - ‘means information … that
is recorded in any form …’ Northern Territory
S4 definition ‘personal information’ means ‘government information from which …’
S4 definition ‘government information’ means ‘a record held …’ Hong Kong
s2 definition 'data' is only 'any representation of information, in any document'.
'document' includes disks, film etc from which visual images or other data are 'capable ...of being reproduced’
'Records' / 'documents’ (3) New South Wales - the odd one out
S4 defn ‘personal information’ means ‘information or an opinion (….whether or not recorded in a material form) …’ - cannot imply a record from the definition
NSW IPPs all refer to ‘personal information’ (contrast Cth IPPs require ‘in a record’)
No equivalent to Cth s16B re NPPs All NSW IPPs therefore apply to all personal information
whether or not it is ever recorded IPPs only require that agency must ‘collect’ or ‘hold’ personal
information
'Records' / 'documents’ (4) FM v Macquarie University [2003] NSWADT 78
Hennessy Dep P (on appeal) S18 breach by Macq’s disclosure to UNSW of information in 2
telephone conversations Information was observations of FM and opinions about him The information was never recorded by Macq
Held - Was ‘personal information’ even though FM’s behaviour was observed by others
Held - Info was ‘held’ in the mind of Macq staff s4(4) defines ‘held’ as ‘possession or control’ ‘Possess’ must include ‘in the mind’ for non-material information
Order - Macq staff must not disclose any information in their minds about students, unless s18 exemption applies