Interaction of federal, state and territory regimes

17.2 In the absence of a clear statement in the Australian Constitution about whether the regulation of personal information is the responsibility of the Australian Government or state and territory governments, the states and territories are able to enact privacy laws.^[1] Further, s 3 of the Privacy Act states that the Australian Parliament does not intend to ‘cover the field’ in relation to the protection of personal information.^[2] Chapter 2 provides an overview of state and territory privacy laws.

17.3 State and territory laws are sometimes inconsistent with the Privacy Act and with each other. This section of the chapter considers the interaction of state and territory privacy laws with the Privacy Act. It outlines a number of examples of inconsistency between federal, state and territory laws including inconsistencies in relation to terms and definitions; state-owned corporations; contracted service providers; ministers, local governments and universities; the type of personal information regulated; privacy principles; and remedies. These issues are dealt with in detail in other chapters of this Report.

Inconsistent principles

17.4 Although the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) and privacy principles under state and territory privacy regimes are similar, they are not identical. The privacy regimes in some jurisdictions include privacy principles that are similar to the IPPs, while other jurisdictions have modelled their principles on the NPPs.^[3] As is noted in Chapter 18, there are significant differences between the IPPs and the NPPs.

17.5 Many of the differences between the IPPs and the NPPs are reproduced in the state and territory regimes. For example, like the NPPs, the Information Privacy Principles under the Information Privacy Act 2000 (Vic) include principles relating to anonymity and cross-border data flows.^[4] The Information Standard that applies to the Queensland public sector does not provide for either of these principles,^[5] but the Information Standard that applies to the Queensland Department of Health does.^[6]

17.6 The adoption of the model Unified Privacy Principles (UPPs) and any relevant regulations that modify the application of the UPPs at the federal, state and territory level will deal with many of the problems caused by inconsistent privacy principles across the jurisdictions.^[7]

Terms and definitions

17.7 Terms and definitions vary across federal, state and territory laws. For example, each of the state and territory regimes contains definitions of ‘personal information’ that are similar to the definition of the term under the Privacy Act, but not identical.^[8]

17.8 The inconsistent use of terms and definitions in privacy legislation contributes to the complexity of privacy law and may increase compliance burden and cost. The federal, state and territory governments should ensure the consistency of definitions and key terms (for example, ‘personal information’, ‘sensitive information’ and ‘health information’) in federal, state and territory legislation that regulates the handling of personal information.

17.9 In Chapter 3, the ALRC recommends that the states and territories should enact legislation regulating the handling of personal information in that state or territory’s public sector that applies relevant definitions used in the Privacy Act. These definitions would include definitions of ‘personal information’, ‘sensitive information’ and ‘health information’.^[9]

Personal information regulated

17.10 Employee records are currently excluded from the operation of the Privacy Act.^[10] Some state and territory privacy regimes provide limited protection for employee records.^[11] The Personal Information Protection Principles under the Personal Information Protection Act 2004 (Tas) provide the highest degree of protection of employee records, subject to a number of exceptions.^[12] In Chapter 40, the ALRC recommends that the current exemption under the Privacy Act relating to employee records should be removed. In the ALRC’s view, state and territory legislation should include provisions that address the handling of employee records in that state or territory’s public sector.

17.11 The Privacy Act provides limited protection for information held in public registers. IPP 1 places some restrictions on the collection of personal information in a generally available publication.^[13] Similarly, the Information Act 2002 (NT) provides limited protection for information held in public registers.^[14] Other jurisdictions, however, provide greater protection. For example, public registers in Victoria are subject to the Information Privacy Principles under the Information Privacy Act 2000 (Vic),^[15] and the New South Wales legislation prohibits certain disclosures of personal information held in a public register.^[16] The issue of publicly available information is discussed in Chapter 6 and Chapter 11.

Remedies

17.12 The remedies available to individuals whose privacy rights are infringed can differ according to the jurisdiction in which the complaint is made. For example, the maximum amount of compensation that is payable for an interference with privacy differs across the states and territories. The Privacy Act does not specify a limit on the payment of compensation. In contrast, the New South Wales Administrative Decisions Tribunal can order the payment of compensation of up to $40,000;^[17] the Victorian Civil and Administrative Tribunal can order compensation of up to $100,000;^[18] and the Northern Territory Information Commissioner can order compensation up to $60,000.^[19] There is no specific provision for compensation under the Personal Information Protection Act 2004 (Tas),^[20] or under the Queensland privacy scheme.

17.13 In Chapter 50, the ALRC examines various issues related to the enforcement of the Privacy Act, including the payment of compensation and whether certain interferences with privacy should attract a civil penalty. To ensure a level of consistency in the outcome of privacy regulation, the states and territories should consider the range of enforcement tools, and the level of penalties and compensation, available under the Privacy Act and other state and territory privacy laws when developing privacy legislation.

State-owned corporations

17.14 While a number of state and territory privacy regimes regulate the handling of personal information by state-owned corporations,^[21] they are not regulated in New South Wales. This is significant, as state-owned corporations do not fall within the scope of the private sector provisions of the Privacy Act unless they are prescribed by regulation.^[22] The exemptions under the Privacy Act relating to state and territory authorities and prescribed instrumentalities are discussed further in Chapter 38.

State contracted service providers

17.15 There is also confusion about whether contracted service providers to New South Wales government agencies are caught by the Privacy Act or the Privacy and Personal Information Protection Act 1998 (NSW), or fall into an unregulated gap between the state and federal Acts.^[23] In Chapter 14, the ALRC discusses various issues related to state contracted service providers. In Chapter 3, the ALRC recommends that state and territory legislation regulating the handling of personal information in that state or territory’s public sector should include provisions relating to state and territory government contracts.

Ministers, local governments and universities

17.16 While legislation in some jurisdictions applies to ministers,^[24] the Privacy and Personal Information Protection Act 1998 (NSW) does not cover ministers and specifically authorises the disclosure of information to ministers and the Premier.^[25] The handling of personal information by local governments is regulated under privacy regimes in some states and territories.^[26] Local governments are not regulated, however, in Queensland^[27] or South Australia.^[28]

17.17 Universities are subject to personal information laws in some jurisdictions,^[29] but not others.^[30] Private universities and universities established under ACT legislation are covered by the Privacy Act, as are other private sector higher education providers. This creates further inconsistency in privacy regulation between bodies that substantially provide the same function.^[31]

17.18 In Chapter 3, the ALRC recommends that the states and territories enact legislation that applies the UPPs and any relevant regulations that modify the operation of the UPPs.^[32] The ALRC envisages that this legislation would include a definition of ‘agency’ that applies to state and territory ministers, universities, and local governments. This will ensure that these individuals and agencies are subject to the same privacy principles.