State and territory regulation of privacy

2.10 Each Australian state and territory regulates the management of personal information. In some states and territories, personal information is regulated by legislative schemes, in others by administrative regimes.

2.11 Section 3 of the Privacy Act states:

It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction, disclosure or transfer of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.

2.12 The provision makes clear that the Australian Parliament did not intend to ‘cover the field’ and to override state and territory laws relating to the protection of personal information if such laws are capable of operating alongside the Privacy Act. Section 3 of the Privacy Act is discussed in Chapter 3.

2.13 New South Wales (NSW), Victoria and the ACT all have legislation that regulates the handling of personal health information in the private sector. This means that health service providers and others in the private sector in those jurisdictions are required to comply with both federal and state or territory legislation in relation to personal health information. Part H of this Report discusses the issues and problems inherent in this situation. Methods for dealing with these issues are outlined in Chapter 3.

New South Wales

Privacy and Personal Information Protection Act 1998 (NSW)

2.14 NSW was the first state to enact public sector privacy laws. The Privacy and Personal Information Protection Act 1998 (NSW) contains a set of privacy standards called Information Protection Principles that regulate the way NSW public sector agencies handle personal information (excluding health information).^[16]

2.15 A number of the Information Protection Principles are similar to the IPPs in the Privacy Act, but they are not identical.^[17] There are four major sources of exemptions to the Privacy and Personal Information Protection Act: in the Act;^[18] in regulations;^[19] in a privacy code of practice, made by the Attorney General;^[20] and in a public interest direction made by the NSW Privacy Commissioner.^[21]

2.16 The Act provides for the development of privacy codes of practice. A privacy code may modify the application to any public sector agency of one or more of the Information Protection Principles^[22] and may exempt a public sector agency or class of public sector agency from the requirement to comply with any of the Information Protection Principles.^[23] The Act also provides for privacy management plans.^[24]

2.17 The Act establishes the Office of the NSW Privacy Commissioner (Privacy NSW). The NSW Privacy Commissioner has a number of functions, including a complaint-handling function. The NSW Privacy Commissioner must endeavour to resolve complaints by conciliation^[25] and may also make written reports on any findings or recommendations made in relation to a complaint.^[26]

2.18 Under the existing privacy regime in NSW, there are two avenues of complaint available to individuals who believe that their privacy has been infringed. The individual may make a complaint directly to Privacy NSW.^[27] Alternatively, those who believe that their privacy has been interfered with by a NSW public sector agency can submit a complaint directly to the agency and request that the agency conduct an internal review of the behaviour that led to the complaint. Privacy NSW is responsible for the oversight of internal reviews.^[28] If an individual is not satisfied with the finding of the review or the action taken by the agency in relation to the application, the individual may apply to the NSW Administrative Decisions Tribunal for a review of the conduct.^[29]

2.19 In 2005–06, 81 complaints were made directly to Privacy NSW.^[30] The majority of those complaints were against state government agencies. A significant proportion, however, were also against private organisations and local governments.^[31] The most common complaints received by Privacy NSW were about disclosure of information, surveillance and physical privacy, and collection of information.^[32] NSW public sector agencies handled 100 complaints as internal reviews, which were then overseen by Privacy NSW.^[33]

Health Records and Information Privacy Act 2002 (NSW)

2.20 The Health Records and Information Privacy Act 2002 (NSW) implements a privacy regime for health information held in the NSW public sector and the private sector (except small businesses as defined in the Privacy Act).^[34] The Act allows for individuals to obtain access to health information and establishes a framework for the resolution of complaints regarding the handling of health information.^[35]

2.21 The Act contains 15 Health Privacy Principles (HPPs) that outline how health information must be collected, stored, used and disclosed. The HPPs can be grouped into seven areas: collection; storage; access and accuracy; use; disclosure; identifiers and anonymity; and transferrals and linkage.^[36] The Act provides for a number of exemptions from these principles. For example, the Act does not apply to the Independent Commission Against Corruption (ICAC), except in connection with the exercise of its administrative and educative functions.^[37] Further, the HPPs themselves include exemptions,^[38] some of which are the subject of statutory guidelines.^[39]

2.22 The Health Records and Information Privacy Act provides two avenues of complaint for individuals. Parts 3 and 6 of the Act allow individuals to make complaints directly to the NSW Privacy Commissioner,^[40] or direct their complaints to the NSW public sector agency for internal review of the conduct that lead to the complaint.^[41] In 2005–06, Privacy NSW received 28 complaints relating to health records.^[42] NSW public sector agencies handled 20 complaints concerning health records as internal reviews, which were then overseen by Privacy NSW.^[43]

Other legislation

2.23 The Workplace Surveillance Act 2005 (NSW) prohibits covert surveillance of employees in the workplace without appropriate notice. Three categories of surveillance are covered: camera surveillance; surveillance of an employee’s use of a work computer; and surveillance of the location or movements of an employee.^[44]

2.24 The Surveillance Devices Act 2007 (NSW) was recently enacted to regulate the installation, use, maintenance and retrieval of surveillance devices; restrict the use, publication and communication of information obtained through the use of surveillance devices; and establish procedures for law enforcement officers to obtain warrants or emergency authorisations for the installation, use, maintenance and retrieval of surveillance devices. The Act repeals the Listening Devices Act 1984 (NSW).^[45]

Victoria

Information Privacy Act 2000 (Vic)

2.25 The Information Privacy Act 2000 (Vic) came into force on 1 September 2002. The Act covers the handling of personal information (except health information) in the state public sector in Victoria, and by other bodies that are declared to be ‘organisations’ for the purposes of Act.^[46] Organisations performing work for the Victorian government may also be subject to the Act, depending on the particular contract.^[47]

2.26 The Act requires public sector agencies to comply with 10 Information Privacy Principles or have an approved code of practice.^[48] The Information Privacy Principles are similar to the NPPs in the Privacy Act.^[49] The Act contains a number of exemptions, including in relation to courts and tribunal proceedings, publicly available information and law enforcement.^[50]

2.27 The Act establishes the Office of the Victorian Privacy Commissioner (OVPC). The Victorian Privacy Commissioner’s functions include the receipt of complaints about an act or practice that may contravene an Information Privacy Principle or that may interfere with the privacy of an individual.^[51] The complaint-handling procedure includes a conciliation process and conciliation agreement. The Victorian Privacy Commissioner also has the power to issue compliance notices in order to enforce the Information Privacy Principles.^[52] Unlike the federal Privacy Commissioner or the Victorian Health Services Commissioner, the Victorian Privacy Commissioner has no power to decide that a breach of privacy has occurred.

2.28 The OVPC received 54 new complaints in 2006–07.^[53] The most common complaints were against state government departments (18 complaints), local councils (11 complaints), law enforcement bodies (nine complaints) and against statutory authorities (seven complaints). Complaints related to use and disclosure, data security and the collection of information.^[54]

Health Records Act 2001 (Vic)

2.29 The Health Records Act 2001 (Vic) covers the handling of all health information held by health service providers in the state public sector^[55] and the private health sector.^[56] The Act contains 11 Health Privacy Principles adapted from the NPPs in the Privacy Act.^[57] The Act contains a few exemptions to these principles, including for: dealing with health information for personal, family or household affairs; publicly available health information; and the news media.^[58]

2.30 The Act is administered by the Office of the Health Services Commissioner, which may receive complaints about an act or practice that may be an interference with the privacy of the complainant.^[59] The Commissioner can deal with a complaint in a number of ways, including by conducting an investigation, by conciliation, a hearing, issuing a compliance notice, or referring a complaint to the Victorian Civil and Administrative Appeals Tribunal.^[60] In 2006–07, the Office of the Health Services Commissioner accepted 89 complaints that related to the Health Records Act.

2.31 The Health Services Commissioner has the power to issue or approve guidelines. These guidelines may lessen the level of privacy protection afforded by a relevant Health Privacy Principle.^[61]

Workplace privacy

2.32 In October 2005, the Victorian Law Reform Commission (VLRC) released Workplace Privacy—Final Report (2005).^[62] The VLRC concluded that significant legislative gaps in the protection of privacy in workplaces required regulation at the state level, and recommended the enactment of workplace privacy legislation and the establishment of a workplace privacy regulator.^[63]

2.33 The Victorian Parliament has enacted the Surveillance Devices (Workplace Privacy) Act 2006 (Vic).^[64] The Act implements the recommendation of the VLRC report that acts or practices of employers which involve installation, use or maintenance of surveillance devices in relation to their workers should be regulated.^[65] The Act amends the Surveillance Devices Act 1999 (Vic) to make it an offence for an employer knowingly to install, use or maintain an optical surveillance device or listening device to observe, listen to, record or monitor the activities or conversations of a worker in workplace toilets, washrooms, change rooms or lactation rooms.^[66] There are some limited exceptions to this general prohibition.^[67]

2.34 In March 2008, the Standing Committee of Attorneys-General (SCAG) considered options for reform in the area of workplace privacy. SCAG agreed that a minimum model for nationally consistent workplace privacy regulation should be developed. In SCAG’s view, such a model should be supported by legislation, and include a combination of measures such as mandatory and voluntary codes of practice. If a jurisdiction imposes a stricter standard than the minimum model, then the stricter standard should continue to apply in that jurisdiction.^[68]

Charter of Human Rights and Responsibilities Act 2006 (Vic)

2.35 The Charter of Human Rights and Responsibilities Act 2006 (Vic) introduced a Charter of Human Rights and Responsibilities for the protection and promotion of human rights in Victoria.^[69] Part 2 of the Act sets out a number of human rights including the right of a person not to have unlawful or arbitrary interference with his or her privacy, family, home or correspondence. The Act requires statutory provisions to be interpreted in a way that is compatible with the human rights set out under Part 2 of the Act. It will also require public authorities to act in a way that is compatible with those human rights. The Act is administered by the Victorian Equal Opportunity and Human Rights Commission.

Queensland

2.36 In 1997, the Legal, Constitutional and Administrative Committee of the Queensland Legislative Assembly recommended the enactment of a privacy regime for Queensland based on a set of information privacy principles and the establishment of a Privacy Commissioner.^[70] While this recommendation has not been implemented, an administrative scheme was established in 2001, based on the IPPs and the NPPs in the Privacy Act. Details of the scheme are provided in Information Standards issued by the Department of Innovation and Information Economy under the Financial Management Standard 1997 (Qld).^[71]

Information Standard 42

2.37 Information Standard 42—Information Privacy (IS 42) requires the Queensland state public sector to manage personal information in accordance with a set of Information Privacy Principles adapted from the IPPs in the Privacy Act. IS 42 applies to all accountable officers and statutory bodies as defined in the Financial Administration and Audit Act 1977 (Qld) (including government departments). It also applies to most statutory government-owned corporations.^[72]

2.38 The requirement for agencies to comply with IS 42 is administratively based. This means that, where conflicting legislative requirements exist, these will prevail. In addition, compliance is subject to any existing outsourcing arrangements, contracts and licenses.^[73] IS 42 provides for two types of exemptions, one concerning exempt bodies; the other relating to personal information.^[74]

2.39 IS 42 contains a number of requirements, including that departments and agencies nominate a privacy contact officer; and that they develop, publish and implement privacy plans to give effect to the Information Privacy Principles.^[75] IS 42 provides that agencies may develop codes of practice that modify the application of the Information Privacy Principles.^[76] A set of guidelines has been developed to assist agencies to comply with their obligations in this regard.^[77]

2.40 The Queensland Government Department of Justice and Attorney-General is responsible for the administration of privacy in Queensland under IS 42, which includes initiating whole of government privacy initiatives, providing policy advice and dispensing best practice advisory services to Queensland Government agencies and the community.

Health information

Queensland Health Quality and Complaints Commission Act 1992 (Qld)

2.41 In 2006, the Health Rights Commission Act 1992 (Qld) was repealed by the Health Quality and Complaints Commission Act 2006 (Qld). The new Act replaces the Health Rights Commission with the Health Quality and Complaints Commission (HQCC). The HQCC is responsible for the oversight of public and private health service delivery in Queensland, and for addressing complaints associated with health service delivery in Queensland. Although there is no specific provision for privacy complaints under the Health Quality and Complaints Commission Act, the HQCC reported that in 2006–07 it received 111 complaints related to ‘privacy/discrimination’ out of a total of 2,832 complaints.^[78]

2.42 Chapter 4 of the Health Quality and Complaints Commission Act requires the HQCC to develop a Code of Health Rights and Responsibilities.^[79] In developing the content of the Code, the Commission must have regard to a number of principles, including that the confidentiality of information about an individual’s health should be preserved; an individual is entitled to reasonable access to records about the individual’s health; and an individual is entitled to reasonable access to procedures for the redress of grievances relating to the provision of health services.^[80]

2.43 The HQCC has released a Draft Code of Health Rights and Responsibilities (Draft Code) for consultation.^[81] The Draft Codeis intended to apply to all health service providers, health service users and their carers throughout the public and private sectors in Queensland.^[82]

2.44 The Draft Code contains seven statements of health rights. Statement 6 outlines that: ‘You have a right to access your personal health information, confidentiality and accurate record keeping’. This statement is broken down into four entitlements of health service users: service provision in a confidential environment; accurate and objective recording of health information; confidential keeping of health information and records; and access to personal information. Each entitlement sets out the responsibilities of providers and users.^[83]

Health Services Act 1991 (Qld)

2.45 Part 7 of the Health Services Act 1991 (Qld) provides that it is an offence for a designated person or former designated person to disclose confidential information that identifies a person who is receiving, or has received, a public sector health service.^[84] The provision is subject to a number of exceptions, for example: with consent; where required or permitted by law; to assist in averting a serious risk to life, health or safety, or public safety.^[85]

Information Standard 42A

2.46 Information Standard 42A—Information Privacy for the Queensland Department of Health (IS 42A) applies only to that Department and requires health information and personal information to be managed in accordance with National Privacy Principles adapted from the NPPs contained in the Privacy Act.^[86] A number of principles have been deleted as they do not apply to the Queensland Department of Health or are dealt with under other schemes. For example, NPP 6 has been deleted as rights of access and correction are provided for in the Freedom of Information Act 1992 (Qld).

2.47 IS 42A is similar to IS 42: it contains the same mandatory requirements; similar exemptions; and provides for the development of codes of practice. A set of guidelines has been developed to assist the Department to comply with its obligations under IS 42A.^[87]

Other legislation

2.48 The Invasion of Privacy Act 1971 (Qld) requires the licensing and control of credit reporting agents and regulates the use of listening devices.

Western Australia

2.49 The state public sector in Western Australia does not currently have a legislative privacy regime, although some privacy principles are provided for in the Freedom of Information Act 1992 (WA). This Act provides for access to documents and the amendment of ‘personal information’ in a document held by an agency that is inaccurate, incomplete, out-of-date or misleading. The definition of ‘personal information’ is similar to the definition under the Privacy Act except that it also includes information about an individual who can be identified by reference to an identification number or other identifying particular such as a fingerprint, retina print or body sample.^[88]

2.50 Part 4 of the Freedom of Information Act 1992 (WA) establishes the Information Commissioner, whose main function is to deal with complaints about decisions made by agencies in respect of access applications and applications for amendment of personal information.^[89] The Office of the Information Commissioner received 145 complaints in 2006–07, of which 113 were for external review of a decision under the Freedom of Information Act 1992 (WA). External review complaints include complaints relating to applications for access to documents and the amendment of personal information under the Act.^[90]

2.51 The State Records Act 2000 (WA) affords some limited protection of privacy. For example, no access is permitted to medical information about a person unless the person consents, or the information is in a form that neither discloses nor would allow the identity of the person to be ascertained.^[91] Neither the State Records Act nor the Freedom of Information Act 1992 (WA), however, deal comprehensively with privacy issues associated with the collection, storage and use of personal information by agencies.

Information Privacy Bill 2007

2.52 The Information Privacy Bill 2007 (WA) was introduced into the Western Australian Parliament on 28 March 2007. The Bill proposes to regulate the handling of personal information in the state public sector and the handling of health information by the public and private sectors in Western Australia.^[92] In April 2008, the Bill had been read for a second time in the Legislative Council.

2.53 The Bill requires most state public sector agencies, and contractors to public sector agencies, to comply with a set of eight Information Privacy Principles. The Information Privacy Principles draw heavily on the NPPs contained in the Privacy Act and on the Information Privacy Principles in the Information Privacy Act 2000 (Vic).^[93]

2.54 The Bill also requires most public sector agencies, private sector health service providers, and persons or bodies in the private sector who handle health information about individuals, to comply with a set of 10 Health Privacy Principles. The Health Privacy Principles are adapted from, and are consistent with, the Draft National Health Privacy Code.^[94] They are broadly similar to the general requirements of the NPPs in the Privacy Act, but are specifically tailored to the privacy of health information.^[95] Under Part 3 Division 2 of the Bill, individuals will be given access to records held by private sector organisations and increased ability to amend their records. This is similar to the power under the Freedom of Information Act 1992 (WA).

2.55 The Bill contains a number of exemptions, including for courts and tribunals^[96] and publicly available information.^[97] Some law enforcement agencies and child protection agencies do not have to comply with certain Information Privacy Principles and Health Privacy Principles.^[98] The Bill also provides for codes of practice that can derogate from the Information Privacy Principles and the Health Privacy Principles.^[99]

2.56 Part 6 of the Bill overrides prohibitions on the disclosure of personal and health information by public sector agencies, whether those prohibitions result from other statutes, the common law, or ethical or professional obligations, provided the disclosure meets certain criteria. These criteria include, for example, that the disclosure is for the purpose for which the information was collected, or that the disclosure falls within certain specified exceptions to the Information Privacy Principle or Health Privacy Principle relating to use and disclosure.

2.57 The Bill would establish the Privacy and Information Commissioner, who will replace and expand the role of the current Information Commissioner. The Commissioner’s functions and powers would include: monitoring and promoting compliance with the Information Privacy Principles and the Health Privacy Principles, reporting to the minister responsible for administering the legislation, and resolving complaints.^[100] The complaint-handling process includes the use of conciliation proceedings.^[101] Complaints that are not resolved through conciliation may be resolved by the State Administrative Tribunal.^[102]

South Australia

Cabinet administrative instruction

2.58 There is no legislation that specifically addresses privacy in South Australia.^[103] The South Australian Department of the Premier and Cabinet, however, has issued an administrative instruction requiring its government agencies to comply with a set of Information Privacy Principles based on the IPPs in the Privacy Act. PC012—Information Privacy Principles Instruction was first issued in July 1989 and then reissued in July 1992.^[104]

2.59 The Privacy Committee of South Australia was first established in 1989. In 2001, the Committee was appointed to oversee the implementation of the Information Privacy Principles in the South Australian public sector and to provide advice on privacy issues. The Committee oversees the privacy regime and performs a complaint-handling role. The Committee’s functions include the referral of written complaints concerning violations of individual privacy received by it to an appropriate authority.^[105] The Committee must prepare a report of its activities annually and submit the report to the minister (currently the Minister for Finance). Members of the public who are unsatisfied with the Privacy Committee’s response to their complaint are referred to the South Australian Ombudsman for further investigation.^[106] The Committee is also able to exempt a person or body from one or more of the Information Privacy Principles on such conditions as the Committee thinks fit.^[107]

2.60 The ALRC has been informed that State Records of South Australia (State Records), in supporting the Privacy Committee of South Australia, is developing a guideline for matching and sharing personal information. State Records is also examining other opportunities for guidelines and proposed amendments to the Instruction that might improve the protection of privacy within the South Australian public sector. Other projects include the development of a standard under the State Records Act 1997 (SA) relating to contracting out and the handling of personal information.^[108]

Code of Fair Information Practice

2.61 South Australia also has a Code of Fair Information Practice based on the NPPs in the Privacy Act.^[109] The Code applies to the South Australian Department of Health and the Department for Families and Communities.^[110]

Tasmania

Personal Information Protection Act 2004 (Tas)

2.62 The Personal Information Protection Act 2004 (Tas) regulates the collection, use and disclosure of personal information. The Act applies to ‘personal information custodians’ including state government agencies, statutory boards, local councils, the University of Tasmania and any body, organisation or person who has entered into a personal information contract with government agencies relating to personal information.^[111] A ‘personal information contract’ is a contract between a personal information custodian and another person relating to the collection, use or storage of personal information.^[112]

2.63 The 10 ‘Personal Information Protection Principles’ set out in Schedule 1 of the Act are based on the NPPs in the Privacy Act. Aspects of the Privacy and Personal Information Protection Act 1998 (NSW) and the Information Privacy Act 2000 (Vic) also have been incorporated into the principles.

2.64 The Tasmanian regime is similar to legislation in other jurisdictions in that it contains exemptions for information concerning law enforcement or that is publicly available.^[113] The obligations in relation to ‘employee information’, however, are different from the federal and other state and territory regimes, in that they allow job applicants and employees to benefit from the privacy obligations imposed on employers.^[114] A personal information custodian also may apply to the Minister for Justice for an exemption from compliance with any or all of the provisions of the Act.^[115]

2.65 Part 4 of the Act provides for complaints and investigations. Rather than establishing a central body (such as a Privacy Commissioner) to manage complaints, the Tasmanian Ombudsman either investigates and determines the complaint or refers the complaint to another person, body or authority that the Ombudsman considers appropriate in the circumstances.^[116] If, on completion of an investigation of a complaint, the Ombudsman is of the opinion that a personal information custodian has contravened a personal information protection principle, the Ombudsman may make any recommendations the Ombudsman considers appropriate in relation to the subject matter of the complaint.^[117]

Charter of Health Rights and Responsibilities

2.66 The Health Complaints Act 1995 (Tas) requires the Health Complaints Commissioner to develop a Charter of Health Rights.^[118] The Charter of Health Rights and Responsibilities was developed and tabled in Parliament in 1999.

2.67 The Charter applies to a wide range of health service providers and provides for six rights, including the right to confidentiality, privacy and security.^[119] It sets out a range of rights of health service consumers including the right of a consumer: to have his or her personal health information and any matters of a sensitive nature kept confidential; for health service facilities to ensure his or her privacy when receiving health care; and to expect that information about his or her health is kept securely and cannot easily be accessed by unauthorised persons. The Charter also provides that health service providers have the right to discuss the health care and treatment of a consumer with other providers for advice and support, if it is in the best interest of the consumer’s health and wellbeing.^[120]

2.68 The Charter is administered by the Health Complaints Commissioner,^[121] who has a number of functions including to receive, assess and resolve complaints.^[122] Complaints may be resolved by conciliation and through the use of enforceable agreements between a complainant and health service provider.^[123] In 2006–07, the Commissioner reported the resolution of 21 privacy-related complaints out of a total of 485 complaints resolved in that period.^[124]

Australian Capital Territory

2.69 The ACT public sector complies with an amended version of the Privacy Act.^[125] The Office of the Privacy Commissioner (OPC) administers the Act on behalf of the ACT government.

Health Records (Privacy and Access) Act 1997 (ACT)

2.70 The Health Records (Privacy and Access) Act 1997 (ACT) removes health records from the jurisdiction of the OPC. The Act regulates the handling of health records held in the public sector in the ACT and also applies to acts or practices of the private sector. The Act contains 14 privacy principles that have been modified to suit the requirements of health records.^[126]

2.71 The Act gives people access to their own health records or any other record to the extent that it contains personal health information.^[127] The Act imposes obligations on both the person requesting access to a health record^[128] and the person who responds to a request for access.^[129] The Act contains a number of exemptions to the general right of access to health records. For example, it is a ground of ‘non-production’ if the record or part of the record does not relate in any respect to the person requesting it.^[130]

2.72 The ACT Human Rights Commission administers the Act.^[131] Under Part 4, a complaint may be made to the Commissioner on the following grounds: the act or omission contravenes the privacy principles in relation to a consumer; the act or omission is a refusal to give access in accordance with the Act to a health record relating to a consumer; or the act or omission is a refusal by a record keeper of a health record to give access to the health record under the Act.

2.73 The Human Rights Commission commenced operation on 1 November 2006. The Commission is an independent agency established by the Human Rights Commission Act 2005 (ACT). The Commission brings together the existing functions of the ACT Human Rights Office and the Community and Health Services Complaints Commissioner. The Health Records (Privacy and Access) Act was previously administered by the ACT Community and Health Services Complaints Commissioner.^[132]

Human Rights Act 2004 (ACT)

2.74 Section 12 of the Human Rights Act 2004 (ACT) provides that all individuals have the right not to have unlawful or arbitrary interferences with their privacy, family, home or correspondence or have their reputation unlawfully attacked. The Act also imposes a duty of consistent interpretation in respect of other legislation. Under the Act, when a court is interpreting an ACT law it must adopt an interpretation ‘consistent with human rights’ as far as possible.^[133]

Northern Territory

Information Act 2002 (NT)

2.75 The Northern Territory has combined its information privacy, freedom of information, and public records laws into a single Act, the Information Act 2002 (NT). Schedule 2 of the Act contains 10 Information Privacy Principles.^[134] The Information Privacy Principles are based on the NPPs in the Privacy Act.^[135] The Act provides for a number of exemptions to the Information Privacy Principles. For example, the Information Privacy Principles do not apply to publicly available information,^[136] or to court or tribunal proceedings.^[137]

2.76 The Act also provides for approved codes of practice.^[138] A code may specify the manner in which a public sector agency is to apply or comply with one or more of the Information Privacy Principles. A code may also modify an Information Privacy Principle, but only in limited circumstances.^[139]

2.77 Part 6 of the Act establishes the Information Commissioner for the Northern Territory. The Information Commissioner may authorise a public sector agency to collect, use or disclose personal information in a manner that would otherwise contravene or be inconsistent with specified Information Privacy Principles.^[140] The Commissioner also has the power to issue a notice requiring a public sector organisation to take specified action within a period to ensure that in the future it complies with an IPP or code of practice.^[141]

2.78 A person may make a complaint to the Commissioner about a public sector organisation that has collected or handled his or her personal information in a manner that contravenes an Information Privacy Principle, a code of practice or an authorisation; or has otherwise interfered with the person’s privacy.^[142] The Information Commissioner has the power to conduct a hearing in relation to the complaint and make a number of orders.^[143] In 2006–07, the Information Commissioner received three privacy complaints.^[144]

Code of Health and Community Rights and Responsibilities

2.79 The Northern Territory does not have health-specific privacy legislation, although the Code of Health and Community Rights and Responsibilities (the Code) made under s 104(3) of the Health and Community Services Complaints Act 1998 (NT) confers a number of rights and responsibilities on all users and providers of health and community services in the Northern Territory.^[145] The rights and responsibilities set out in the Code do not override duties set out in Northern Territory or federal legislation.

2.80 Principle 4 of the Code relates to personal information. It provides that people have a right to information about their health, care and treatment. They do not have, however, an automatic right of access to their care or treatment records. Under the Principle, health service providers may prevent health service users from accessing their records where legislation restricts the right to access information, or the provider has reasonable grounds to consider that access to the information would be prejudicial to the user’s physical or mental health. The Principle also provides that health service providers have a responsibility to protect the confidentiality and privacy of health service users.

2.81 The Northern Territory Health and Community Services Complaints Commission handles complaints in relation to non-compliance with the Code. Complaints are administered under the Health and Community Services Complaints Act 1998 (NT). Under that Act, the Commissioner may resolve complaints by conciliation,^[146] and may receive complaints from the Information Commissioner.^[147] The Health and Community Services Complaints Review Committee may review decisions by the Commissioner.^[148] In 2006–07, the Commission reported that it did not receive any complaints relating to access to records and that it received one complaint relating to ‘privacy/confidentiality’.^[149]

Proposed health privacy legislation

2.82 In March 2002, the Northern Territory Department of Health and Community Services released a discussion paper, Protecting the Privacy of Health Information in the Northern Territory,^[150] which sought views on the need for the development of health-specific privacy protection for the Northern Territory. The legislation proposed by the discussion paper would apply to public sector organisations only, and consisted of three main elements: the protection of the privacy of an individual’s health information in both the public and private sectors in the Northern Territory; the establishment of a right for individuals to access their own health information; and the conferral of jurisdiction on the Health and Community Services Complaints Commissioner to oversee the health privacy regime and to handle and resolve complaints.^[151] To date, a final report has not been released.

Other relevant state and territory legislation

2.83 Personal information is also regulated under state and territory legislation that is not specifically concerned with the protection of personal information. Examples include legislation that contains secrecy provisions, freedom of information legislation, public records legislation, listening and surveillance devices legislation and telecommunications legislation.

2.84 Legislation in each state and territory includes provisions that place obligations on public sector agencies and individuals in the public sector not to use or disclose certain information. For example, s 9 of the Public Sector Management Act 1994 (WA) requires all public sector bodies to be ‘scrupulous in the use of official information’. Other state and territory legislation includes secrecy provisions. Often these provisions state that the disclosure of certain information is an offence.^[152] For example, s 22 of the Health Administration Act 1982 (NSW) provides that it is an offence to disclose information obtained in connection with the administration of the Act, subject to a number of exceptions.

2.85 Each state and territory has freedom of information legislation that enables the public to obtain access to information held by that state or territory government. The right of access to information is subject to a number of exceptions. Documents affecting personal privacy of third parties will usually be exempt from the access requirements under the Act or will be released only after a consultation process.^[153] Freedom of information legislation also attempts to ensure that records held by government concerning the personal affairs of members of the public are complete, correct, up-to-date and not misleading.^[154]

2.86 Public records legislation in each state and territory is intended to ensure the effective management of government records and improved record keeping. The legislation provides for public access to records as well as setting out restrictions on access to certain records. Some state and territory public records legislation restricts access to records that contain personal information.^[155]

2.87 Some privacy protection is also provided in state and territory legislation regulating the use of listening and other surveillance devices,^[156] and telecommunications interception.^[157]

2.88 Various state and territory laws regulate the private sector. For example, s 19 of the Introduction Agents Act 1997 (Vic) regulates the handling of personal information by introduction agencies about their clients. State and territory public health Acts require health service providers, including private health service providers, to collect and record certain information about health consumers with ‘notifiable diseases’ such as tuberculosis, Creutzfeldt-Jakob disease and HIV/AIDS.^[158] State and territory adoption laws contain a range of provisions regulating adoption records held by government and private adoption agencies, including providing for retention, disclosure and access to information.^[159] State and territory laws that regulate the private sector are discussed further in Chapter 3.