In a recent comment about the NSW Police and the loopholes in our privacy laws, we alluded to the fact that there is uncertainty in some quarters about what laws apply and to whom.
A classic example of confusion surrounds NSW State Owned Corporations (SOC). These statutory authorities are given special status by virtue of the State Owned Corporations Act. They are listed in Schedule 3 of the Act. They are not “incorporated” companies but legal entities created by the Act, and owned by “shareholding ministers on behalf of the NSW Government.
SOCs are specifically excluded from the definition of public sector agency by the NSW Privacy and Personal Information Protection Act. The Act does not apply to them in the handling of personal information. To the extent they hold any health information they are private sector bodies covered by HRIP Act.
The Federal Privacy Act has two regimes – one that relates to Federal public sector bodies; the other to private sector organisations that have a turnover in excess of $3million (and some others not relevant here).
State authorities are not covered by the provisions that apply to public sector organisations.
They are also not covered by the Act’s provisions that apply to private sector bodies, except where the Federal Government, acting at the request of the state concerned regulates to prescribe then as organisations.
Three NSW SOC’s – Country Energy, Energy Australia and Integral Energy Australia – have been prescribed as authorities for the purposes of the private sector provisions.
Other SOCs are not covered by any privacy law as the NSW Privacy Commissioner acknowledged in a submission to the Attorney General in June 2004. As he put it (page 127) “State Owned Corporations have fallen through a gap in privacy regulation”.
There is nothing to prevent SOCs from adopting a privacy policy reflecting legislative requirements. But as the Federal and state laws differ there is a question about what law they use as the basis for privacy policy.
Some SOCs are understandably confused.
NSW Lotteries for example, says that it is covered by the private sector provisions of the Federal Privacy Act. In its policy statement, after outlining its policy, it directs interested parties to the Federal Privacy Commissioner for more information.
When we inquired, and brought these issues to attention, NSW Lotteries told us its privacy statement was based on legal advice obtained in 2001 when the Federal private sector privacy law came into operation, and nothing had changed since.
When we asked the Federal Privacy Commissioner’s Office we were told it had no power to investigate a matter concerning any NSW State Authority other than those listed in the regulation referred to above. That is if it came to a complaint about NSW Lotteries it wouldn’t consider the matter. It might refer it to the NSW Privacy Commissioner (even though the NSW law does not apply to a SOC) and the Commissioner may have power to look into the complaint.
Another SOC Landcom, says in its Annual Report tht it's voluntarily committed to comply with both the NSW Act and the private sector provisions of the Federal Act (to the extent applicable). That’s clearly a bet each way.
Rail Corporation’s privacy statement on its website relates only to personal information collected from website users. It refers specifically to its obligations under NSW law.
Sydney Water says it voluntarily complies with the NSW Act. Perhaps recognising the “no man’s land” in which SOCs operate, its Annual Report last year said it had made a submission on this to the Attorney General's statutory review of the NSW Act. (The review has never been published despite the fact that the law required it to be tabled in Parliament almost 2 years ago).
I’m sure the SOCs referred to above and the others not mentioned in this comment (we haven’t researched the lot) have in place policies and procedures designed to protect personal and health information to ensure it is handled in a fair and reasonable manner. Hopefully all those millionaires created by NSW Lotteries, land purchasers from Landcom, and customers of Sydney Water and the Rail Corporation have nothing to be concerned about.
It’s just that if anyone did have a complaint about privacy arising from their dealings with these bodies, they shouldn’t expect to be able to insist on any statutory rights, or to be able to pursue review opportunities available to those dealing with organisations covered by legislated privacy obligations.
They won’t get past first base with the Federal Privacy Commissioner.
And the NSW Administrative Decisions Tribunal (which has authority to award up to $40,000 in the event of a breach of privacy that results in loss or damage) will tell them it has no jurisdiction to consider the privacy complaint against an NSW SOC.
Another fine NSW privacy mess, but all that is required to fix it is for the NSW Act to be amended to include SOCs, and for someone to then tell them what law applies and what it means.
No comments:
Post a Comment