INFORMATION PRIVACY AMENDMENT REGULATION 2017 (NO 1) (NO 4 OF 2017) EXPLANATORY STATEMENT

ACT Numbered Regulations - Explanatory Statements

[Index] [Search] [Download] [Related Items] [Help]

INFORMATION PRIVACY AMENDMENT REGULATION 2017 (NO 1) (NO 4 OF 2017)

2017

THE LEGISLATIVE ASSEMBLY
FOR THE AUSTRALIAN CAPITAL TERRITORY

INFORMATION PRIVACY AMENDMENT REGULATION 2017 (No 1)
SL2017-4

EXPLANATORY STATEMENT

Presented by
Gordon Ramsay MLA
Attorney-General

Information Privacy Amendment
Regulation 2017 (No 1)

Outline

This regulation amends the Information Privacy Regulation 2014.

This regulation is made under section 21(4) of the Information Privacy Act 2014 (the Act) which provides that a law of a state, external territory or foreign country that is prescribed by regulation can be prescribed by regulation as a corresponding privacy law for the purposes of s 21.

Section 21 of the Act contains privacy protection requirements for government contracts. The provision states that an ACT Government agency must not enter into a contract unless the contract contains appropriate contractual measures to ensure that the contractors do not do an act, or engage in a practice, that breaches a Territory Privacy Principle (TPP) or a TPP code.

An amendment was passed by the Legislative Assembly on 14 February 2017 to make the operation of section 21 more flexible, by recognising contractual measures which ensure compliance under a corresponding law,

Corresponding privacy law is defined to include the Commonwealth Privacy Act 1988 and the law of a state, external territory or foreign country prescribed by regulation.

This amendment regulation prescribes the Privacy and Personal Information Protection Act 1998 (NSW) and the Privacy and Data Protection Act 2014 (Vic) as corresponding privacy laws because they offer similar frameworks to that operating in the ACT for the protection of personal information.

This will allow the ACT to engage sub-contractors operating in NSW and Victoria who are required to comply with the applicable legislation in those jurisdictions without requiring those sub-contractors to comply with another set of privacy legislation.

Privacy and Data Protection Act 2014 (Vic)

The Victorian provisions regulating the limits on use and disclosure of personal information, and exceptions to the prohibition, are similar to the ACT provisions. Generally, use and disclosure is only permitted where the information is being used and/or disclosed for the purpose (primary purpose) for which it was collected.

The exceptions in the ACT and Victorian laws allow use and disclosure of personal information if the secondary purpose is related to the primary purpose. If the information is classified as sensitive then the secondary purpose must be closely or directly related.

Other circumstances that allow use or disclosure for a secondary purpose are:

a) consent is given by the individual;

b) it is impracticable to get consent, the transfer is for the benefit of the individual and the individual would be likely to give consent;

c) the individual would have a reasonable expectation it would be used;

d) disclosure is necessary to prevent harm or threat, or is required or authorised by or under law; or

e) for purposes of law enforcement.

In addition, unlike the ACT, the Victorian legislation provides that personal information collected can be disclosed without seeking consent if it is impracticable to get consent and the information is to be used or disclosed for research or statistics in the public interest and is in a de-identified form.

Privacy and Personal Information Protection Act 1998 (NSW)

NSW privacy law has more specific provisions about the use and disclosure of personal information and sensitive information than either ACT or Victoria. NSW has separate provisions covering use and disclosure, disclosure of sensitive information within NSW and disclosure of sensitive information to another jurisdiction.

The NSW law specifically restricts ‘use’ to the primary purpose unless the secondary purpose is ‘directly related’ or the individual consents.

In NSW a ‘disclosure’ must be directly related to the primary purpose unless the agency believes that the individual would not object to the disclosure, or is reasonably likely to have been made aware that it is usually disclosed to the agency receiving it. The recipient must not use or on-disclose for any other purpose than the primary purpose.

Sensitive information must not be disclosed unless disclosure would prevent serious and imminent threat to the life or health of the individual or another.

Personal information can be disclosed to another jurisdiction in a range of circumstances, some of which may provide more flexibility than under ACT law. These include where:

a) the recipient is subject to corresponding privacy laws or binding scheme or contract;

b) it is necessary for contractual purposes benefiting the individual;

c) the disclosure is for the benefit of the individual and it is impracticable to obtain consent but if it were the individual would be likely to give it; or

d) the recipient will comply with the information protection principles in holding using and disclosing.

Complaints

The complaint process in each jurisdiction is similar. Firstly, the complainant should go to the agency making the collection, use and disclosure. If dissatisfied with the response, the complaint may escalate the complaint to the Privacy Commissioner for review, and then escalate to the courts or tribunal. The courts or tribunal may order remedies such as an apology, procedural change or monetary compensation to redress loss or damages.

In addition, the Victorian law provides for conciliation between the parties. If the agency does not abide by the ruling of the Commissioner, compliance orders may be issued.

Requiring contractors to comply with these laws, rather than the Act, will not substantially change the level of protection provided to personal information disclosed by ACT agencies for the purpose of contracted services.

Directorates engaging sub-contractors will need to undertake due diligence privacy impact assessments and risk assessments prior to entering into the contract.

Human rights implications

The regulation prescribes the privacy laws of Victoria and NSW as corresponding privacy laws within the meaning of the Act. The regulation engages the right to privacy (s 12, Human Rights Act 2004) and may be argued to limit that right.

The limitation on the right is justifiable given consideration of the following factors:

a) the nature of the right affected: the right to privacy is a fundamental right, but is not absolute and can be limited by clear legislative provision. In this case the legislative provision is in the Information Privacy Regulation, which clearly prescribes the Victorian and NSW privacy laws as corresponding privacy law for section 21of the Act.

b) the purpose of the limitation: the purpose of prescribing the NSW and Victorian laws is to recognise privacy laws other than those of the ACT, increasing the flexibility of government agencies to contract with a broader range of service providers which comply corresponding privacy laws.

This enhances the ability of the ACT to deliver services to the community in a more efficient and economical way by drawing on existing service models delivered by subcontractors.

c) the nature and extent of the limitation: requiring service providers to comply with these laws, rather than the Act, will not substantially change the level of protection provided to personal information disclosed by ACT agencies for the purpose of the contracted service. The Act will continue to provide an avenue for complaints about interference with privacy done by the sub-contractor.

d) the relationship between the limitation and its purpose: the laws offer similar frameworks to that operating in the ACT for the protection of personal information. Referring to these laws will improve the flexibility of section 21 of the Act while ensuring that the privacy protections remain.
e) any less restrictive means reasonably available to achieve the purpose the limitation seeks to achieve: the similarity to the ACT privacy laws, in operation and framework to these other jurisdictions means that an individual’s privacy continues to be protected to the same extent.

Notes on clauses

Clause 1 Name of regulation

This is a formal provision that sets out the name of the regulation.

Clause 2 Commencement

This is a formal provision that provides for the commencement of the regulation. This regulation commences on the commencement of the Justice and Community Safety Legislation Amendment Act 2017, part 1.6.

Clause 3 Legislation amended

This clause lists the legislation to be amended by the regulation. This regulation will amend the Information Privacy Regulation 2014.

Clause 4 New section 5A

This clause inserts a new section 5A to the regulation which prescribes the Privacy and Personal Information Protection Act 1998 (NSW) and the Privacy and Data Protection Act 2014 (Vic) as corresponding privacy laws.