17 September 1998 COUNCIL
PRIVACY AND PERSONAL INFORMATION PROTECTION BILL
Bill introduced and read a first time. Second Reading
The Hon. J. W. SHAW (Attorney General, Minister for Industrial Relations, and Minister for Fair Trading) [4.46 p.m.]: I move:
That this bill be now read a second time.
The purpose of the bill is to promote the protection of privacy and the rights of the individual by the recognition, dissemination and enforcement of data protection principles consistent with international best practice standards. The bill gives statutory recognition to data protection principles concerning the collection, storage, use and disclosure of personal information by public sector agencies. The data protection principles do not attempt to define the meaning of "privacy" but seek to establish principles for dealing with personal information in an open and accountable manner.
The objects of the bill are: to promote the protection of the privacy of individuals; to specify information protection principles that relate to the collection, use and disclosure of personal information held by public sector agencies; to require public sector agencies to comply with these principles; to provide for the making of privacy codes of practice for the purpose of protecting the privacy of individuals; to provide for the making of complaints about privacy-related matters, and for review of conduct that involves the contravention of the information protection principles or privacy codes of practices; and to establish an office of Privacy Commissioner and to confer on the Privacy Commissioner functions relating to privacy and the protection of personal information.
The bill defines "personal information" to mean information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. It specifies a number of requirements relating to the confidentiality and safeguarding of personal information that is collected, held and used by public sector agencies. These requirements are referred to as information protection principles and relate to such matters as restrictions on the collection of personal information, the giving of information when personal information is obtained and used, storage and security of personal information, access to personal information, and alteration of personal information. The bill provides exemptions for public sector agencies from complying with the information principles in certain circumstances.
The purpose of the legislation is not to protect secrecy in dealings or to protect the Government from accountability for its actions, and accordingly there are generous exemptions in the bill for such investigative agencies as the Independent Commission Against Corruption, the Police Integrity Commission and the New South Wales Crime Commission, which have to comply with the information protection principles in connection with the exercise of their administrative and educative functions. A similar exemption is provided for the Police Service. The bill also provides for the making of privacy codes of practices which can modify the application of the information protection principles in a particular public sector agency. Each public sector agency is required to prepare privacy management plans detailing policies and practices to be adopted by the agency to ensure compliance with the requirements of the bill.
It is proposed to establish the office of the Privacy Commissioner, which will subsume all the present functions and powers of the existing New South Wales Privacy Committee in relation to general privacy issues as well as exercise additional functions in relation to the data protection principles. The general functions of the Privacy Commissioner will include promoting the adoption of, and monitoring compliance with, the information protection principles, initiating and recommending privacy codes of practice, conducting research into privacy matters, and preparing and publishing privacy guidelines. The Privacy Commissioner may also publish a personal information digest setting out the nature and source of personal information held by public sector agencies, and any such digest is to be made publicly available.
The commissioner will continue to be able to receive complaints in relation to alleged violations of the privacy of persons. In addition, the commissioner will have the power to receive complaints in relation to alleged breaches of the information protection principles, relevant code, or public register provisions. The Privacy Commissioner's complaints-handling role will have a conciliation and education focus, similar to that of the President of the Anti-Discrimination Board in relation to complaints of unlawful discrimination. The commissioner will deal with complaints by way of conciliation and will not have power to make enforceable determinations in relation to complaints. However, in cases where the complaint relates to a breach of a data protection principle, relevant code, or breaches of the public register provisions, the complainant can choose to have the commissioner conciliate the matter or alternatively to seek an internal review by the agency with a right of review by the Administrative Decisions Tribunal-ADT. If the complainant chooses to have the matter conciliated by the commissioner then there will be no further right to an internal review and subsequent appeal to the Administrative Decisions Tribunal. There will be no provision allowing for more general privacy complaints to be referred for determination to the ADT. The Privacy Committee Act 1975 will be repealed, and all existing functions of the committee transferred to the new commissioner. However, the new legislation will provide for the establishment of a privacy advisory committee to advise the Privacy Commissioner in relation to matters relevant to his or her functions. The legislation will create a specific criminal offence in relation to the supply of personal information by a public official in return for financial or other benefit. It will also be an offence to solicit the corrupt supply of information by a public official.
It should be stressed that the data protection principles are generally subject to any specific provision in any law relating to the use or disclosure of information. For example, health legislation providing for the compulsory notification of certain diseases would in no way be affected by the proposed legislation. The screening processes provided for in the Commission for Children and Young People Bill, which has been introduced into Parliament as an exposure bill, will not be affected by this bill. New South Wales was one of the first jurisdictions in the world to introduce legislation dealing specifically with privacy protection when the New South Wales Privacy Committee was established pursuant to the Privacy Committee Act 1975.
Throughout its 23-year history, the committee has played a valuable role in providing advice on privacy policy to both the government and the private sectors, educating the community about important privacy issues, and conciliating complaints brought by individuals about breaches of privacy. However, it is now apparent that more detailed and extensive legislation is needed in order to address the demands of evolving information technologies, community and international expectations for effective privacy safeguards, and in particular the need for the development of standards in relation to data handling. During the 23-year period since the passage of the Privacy Committee Act, information technology has developed very rapidly. When the first personal computers began to penetrate the Australian market in the early 1980s, 64 kilobytes of memory was considered to be quite remarkable. Today compact disks are able to store 500 megabytes, that is, one-quarter of a million A4 pages. Personal computers used to be stand-alone, now there are local and wide area networks, including the Internet, which provides data links across the globe. Optic fibres are able to carry digitised audio and video data in the form of extremely fast light pulses. It is so fast that it has been estimated that the entire contents of the Encyclopaedia Britannica can be transmitted along a single optic fibre in about eight seconds. Prior to these developments in information technology, there was a range of natural barriers that ensured that records containing personal information were not misused. For example, to retrieve a name and address from a file it was often necessary to consult a card index system for the relevant file number, physically locate the file in a filing cabinet or compactus, then examine the file until the name and address were found.
Today it is much more likely that the only step needed to retrieve that same information is to type the name into a desktop or laptop computer. Information technology has made records of personal information more vulnerable to abuse as it enables the storage of vast amounts of personal data at low cost for indefinite periods of time, the instantaneous retrieval of personal data, the centralisation and linkage of personal data, and the rapid and extensive transmission of personal data. There can be no doubt that there is strong concern among many in the community about the implications of these developments for personal privacy and the rights of the individual. A survey commissioned by the Federal Privacy Commissioner in August 1994 showed that 74 per cent of Australians considered the confidentiality of personal information to be a very important social issue, even more important than the economy and the environment. Most of those surveyed believed that government should pass legislation to ensure that privacy is protected.
The government is itself one of the main collectors and users of personal information. I consider that effective safeguards in relation to that information are a vital part of government's compact with the community. Developments in information technology have not been matched by the development of an appropriate policy and legal framework to ensure that the right to information privacy is protected. As the leading State in the area of communications, media and information technology, it is appropriate that New South Wales should take a lead in developing effective and comprehensive data protection legislation. In New South Wales the need to provide for safeguards in relation to the release of personal information held by government agencies was highlighted in particular by ICAC's 1992 report entitled "Report into the Unauthorised Release of Government Information". That inquiry revealed a massive illicit trade in information involving government departments, the police, lawyers, financial institutions and private investigators. As well as drawing attention to the corrupt conduct involved in this trade, the ICAC report was very critical of the lack of any co-ordinated and consistent government policy dealing with the storage and release of information.
The Privacy Committee has exercised powers of investigation, inquiry and reporting in relation to complaints about breaches of privacy from both the public and private sector for more than 20 years. The Privacy Committee cannot enforce its recommendations but it has powers to compel witnesses similar to those of a royal commission. These powers to deal with general privacy-related complaints will continue in their present form. It should be noted that the privacy codes of practice will not be enforced against the private sector, and complaints about breaches of privacy in the private sector will not be referred to the Administrative Decisions Tribunal. This bill applies information privacy principles only to the public sector at this stage. Whilst the Government remains committed to its pre-election undertaking to develop effective data protection laws which apply to both the private and the public sectors, it has been decided that this should be done in a uniform manner on a national basis.
Up until recently it was understood that the Commonwealth Government would legislate to have data protection principles apply to the private sector nationally. The Commonwealth Government has now indicated it will not be legislating to do so. As it is important that a national approach be taken to the application of data protection principles to the private sector, consideration is currently being given to a national model to apply to the private sector. When resolved, the present legislation can be amended to apply to the private sector, if that is deemed appropriate at that time. It is important to note that there are sound economic arguments for enacting legislation with the potential to apply to the private sector. But, for the reasons I have explained, it is not proposed to do so at this stage.
This bill is directed to the State public sector. It will constrain public sector agencies in the use of data, and it will provide enforceable rights for citizens to obtain compensation where those rights are breached, by approaching the Administrative Decisions Tribunal and seeking enforcement of those rights. This bill will achieve an effective and reasonable balance in the circumstances. This is a positive step forward in the development of privacy rights of the citizens of New South Wales. I commend the bill to the House.
html Tim Robinson 21 September 1998