IV. Governance issues
The federal Freedom of Information Act of 19821 provides for access to government records, requiring agencies to respond within 30 days to requests.2 The FOI Act is the mechanism through which the access right in the Privacy Act is implemented for public sector agencies. The Commonwealth Ombudsman promotes the FOI Act and handles complaints about procedural failures. Merits review (appeal) of adverse FOI decisions is provided by the Administrative Appeals Tribunal, with the possibility of further appeals on points of law to the Federal Court. Budget cuts have severely restricted the capacity of the Attorney General Department and Ombudsman to support the Act and there is now little central direction, guidance or monitoring. In 2002-2003, there were 41,481 requests, an 11 percent increase over the previous year; of those finalized, 71 percent were granted in full, 23 percent granted in part, and 6 percent refused.3 Nearly 92 percent of the requests were for personal information, mostly to the Department of Veterans' Affairs, the Department of Immigration and Multicultural and Indigenous Affairs (DIMIA), and Centrelink (a government agency delivering a range of Commonwealth services).4 In 2001, the Senate held an inquiry into whether to adopt changes recommended by a 1995 report critical of the FOI law, but no substantive changes have since been made to the law.5
State and Territory Laws
The Australian States and Territories have varying privacy laws. New South Wales (NSW), the most populous State, passed the Privacy and Personal Information Protection Act 1998 (PPIP Act) which applies (since July 2000) to most state government agencies and all local councils, although there are numerous and generous exemptions, and agencies can apply for temporary directions, regulations or Codes of Practice that can weaken the principles
The PPIP Act is based on a set of OECD-style Information Protection Principles and requires all government departments and agencies to develop a Privacy Management Plan demonstrating their compliance plans. It also allows for the development of Codes of Practice that weaken the Information Protection Principles, and several such Codes have already been made.6
The NSW Attorney General’s Department in 2004 conducted a statutory five-year review of the PPIP Act, but its results have not been released.7 The NSW Privacy Commissioner commented on the legislation in a comprehensive submission in June 2004.8 The New South Wales Law Reform Commission has since been asked to review the Act, and is due to report in 2008.9
In 2002, a new health-specific law, Health Records and Information Privacy Act 2002 (HRIP Act), took health information out of the scope of the PPIP Act. Instead, health information is regulated by 15 Health Privacy Principles, which apply to the private sector as well as State and local government agencies.10 The HRIP Act commenced on September 1, 2004
NSW enacted a Workplace Video Surveillance Act11 in 1998 (partly in response to a Privacy Committee report). This was replaced in 2005 with the broader Workplace Surveillance Act 2005, which covers camera surveillance, email and internet monitoring and location tracking in the workplace. The Australian Privacy Foundation has criticized the Act as weak in its level of actual privacy protection, and difficult in terms of implementation for employers.12
In an interim report issued publicly in early 2002,13 the NSW Law Reform Commission reviewed the laws governing surveillance more generally, including the operation of the existing Listening Devices Act 1984.14 The Law Reform Commission completed its review and reported to the Attorney General in May 2005, but after two years the Attorney General has still not yet approved the report for publication.15
In July 2002, the Office of Information Technology (OIT), an agency of the state government of NSW, issued guidelines pursuant to the Privacy and Personal Information Protection Act of 1998. The guideline states that as a matter of good practice, each agency should have a designated privacy contact officer. It adds that the obligations of the chief information officer in each agency include ensuring there is a privacy management plan. The responsibilities of other staff, including librarians, web managers, human resources managers and records managers, are also described.16
The State of Victoria has enacted the Information Privacy Act 2000, which applies privacy principles (an almost exact copy of the NPPs in the federal Act) to most state government agencies and local councils. There are relatively few exemptions and while there is provision for Codes of Practice, they cannot weaken the principles. The Act created an office of Privacy Commissioner,17 very active so far, with a monitoring, enforcement and education role, and to conciliate complaints
The Victorian Civil and Administrative Tribunal can determine unresolved complaints. Victoria has also passed the Health Records Act 2001 to complement the information privacy legislation by requiring Victorian health service providers to handle health information responsibly. The Health Records Act also gives patients a right of access to their records held by private practitioners. The Victorian Law Reform Commission18 received a reference in April 2001 to review the coverage of privacy law in Victoria. It published its final report on workplace privacy in October 2005, and is now turning its attention to surveillance in public places.19
The government of the Australian Capital Territory (ACT), which used to be a local authority under Commonwealth (federal) law, and was consequently covered by the federal Privacy Act, achieved self-government as a separate Territory in 1989. The Privacy Act was amended to continue coverage, intended as an interim measure, but this remains the position, with the Federal Privacy Commissioner in effect serving also as the ACT's Commissioner, responsible to its own government. However, in 1997 the ACT government passed its own Health Records (Access and Privacy) Act,20 which applies to personal health information held by anyone in the public or private sector. Its provisions are similar to those of the IPPs in the Privacy Act, and supersedes them for ACT government agencies in this area of data handling
The self-governing Northern Territory has enacted a combined privacy and FOI law – the Information Act 2002,21 which took effect in July 2003. The Office of the Information Commissioner was established in 2004.22
Queensland had a purely advisory Privacy Committee from 1984 to 199123 and has a limited privacy statute24 covering the use of listening devices, credit reporting (operating alongside the 1989 amendments to the federal Privacy Act) and physical intrusions into private property. In April 1998, after a yearlong review, a Parliamentary Committee recommended comprehensive privacy legislation for the public sector.25 The government indicated that it intended to legislate but no timetable has been set, and in 2001 the government adopted privacy principles on a hopefully interim non-statutory basis.26
In Tasmania, the Personal Information Protection Act 2004 came into effect in September 2005.27 The Act covers state government and local councils in Tasmania. It does not establish a position of Privacy Commissioner, but gives complaint-handling responsibilities to the Tasmanian Ombudsman. The Minister can make public interest determinations allowing organizations to be exempt from any or all provisions of the Act. The Act covers health information and applies to deceased persons for 25 years after death
The other states, South Australia and Western Australia, also operate administrative schemes based on variations of the standard sets of privacy principles.28 In May 2003, the Western Australian government released a discussion paper29 proposing a public sector privacy law
All of the States and Territories also have FOI laws that include rights for individuals to access and correct personal information about themselves.30
- 1. http://www.austlii.edu.au/au/legis/cth/consol_act/foia1982222/
- 2. http://freedominfo.org/survey.htm
- 3. http://www.ag.gov.au/www/securitylawHome.nsf/AllDocs/RWPC99101F32A5A081C...
- 4. Id.
- 5. Banisar, supra.
- 6. http://www.lawlink.nsw.gov.au/lawlink/privacynsw/ll_pnsw.nsf/pages/PNSW_...
- 7. http://www.lawlink.nsw.gov.au/lawlink/legislation_policy/ll_lpd.nsf/page...
- 8. http://www.lawlink.nsw.gov.au/lawlink/privacynsw/ll_pnsw.nsf/pages/PNSW_...
- 9. http://www.lawlink.nsw.gov.au/lawlink/lrc/ll_lrc.nsf/pages/LRC_cref113
- 10. http://www.lawlink.nsw.gov.au/lawlink/privacynsw/ll_pnsw.nsf/pages/PNSW_...
- 11. http://www.austlii.edu.au/au/legis/nsw/consol_act/lda1984181/index.html#s20
- 12. http://www.privacy.org.au/Campaigns/Workplace/
- 13. http://www.lawlink.nsw.gov.au/lrc.nsf/pages/r98toc
- 14. http://www.austlii.edu.au/au/legis/nsw/consol_act/lda1984181/index.html
- 15. http://www.lawlink.nsw.gov.au/lawlink/lrc/ll_lrc.nsf/pages/LRC_cref090
- 16. http://www.oit.nsw.gov.au/pages/4.3.20.S-IM-Privacy.htm
- 17. http://www.privacy.vic.gov.au/
- 18. http://www.lawreform.vic.gov.au/
- 19. http://www.lawreform.vic.gov.au/CA256A25002C7735/OrigDoc/~0456DDC1026247...
- 20. http://www.austlii.edu.au/au/legis/act/consol_act/hraaa1997291/
- 21. http://notes.nt.gov.au/dcm/legislat/legislat.nsf/d989974724db65b1482561c...
- 22. http://www.privacy.nt.gov.au
- 23. Privacy Committee Act 1984 (Qld).
- 24. Invasion of Privacy Act 1971 (Qld).
- 25. http://www.parliament.qld.gov.au/comdocs/legalrev/lcarc9.PDF
- 26. http://www.justice.qld.gov.au/dept/privacy.htm
- 27. http://www.egovernment.tas.gov.au/themes/information_security__and__mana...
- 28. http://www.justice.tas.gov.au/legpol/privacy/index.htm
- 29. http://www.ministers.wa.gov.au/main.cfm?MinId=06&Section=0607
- 30. http://www.comlaw.utas.edu.au/law/foi/