16.08.2010
Background
47.128 The Commissioner has the power to make a determination that an act or practice of an agency or organisation, which may otherwise breach an IPP, NPP or approved privacy code, should be regarded as not breaching that principle or privacy code while the determination is in force. Such a determination is called a ‘public interest determination’ (PID) and is issued under Part VI of the Privacy Act.[187]
Nature of determinations
47.129 A PID can be made if the public interest in an agency or organisation doing an act or engaging in a practice which breaches or may breach an applicable IPP, NPP or code provision, outweighs to a substantial degree the public interest in adhering to the IPP, NPP, or code provision.[188] A PID made by the Commissioner in relation to organisations (but not agencies) can be given general effect so that it covers all organisations in respect of that act or practice.[189]
47.130 The Privacy Act sets out a detailed process for receiving and applying for, consulting on, and issuing a PID. The OPC has issued non-binding guidelines to assist those considering or making applications for a PID,[190] and ‘strongly encourages’ agencies and organisations to discuss matters with the OPC before making an application.[191]
Temporary public interest determinations
47.131 The Commissioner also has the power to issue a temporary public interest determination (TPID). A TPID has the same effect as a PID but is limited in duration to a maximum of 12 months.[192] The Commissioner can make a TPID in relation to an act or practice of an agency or organisation, that is the subject of an application for a standard PID, where the application raises issues that require an urgent decision.[193] The Commissioner can give a TPID in respect of an act or practice of an organisation general effect, so that it applies to other organisations.[194]
Discussion Paper proposal
47.132 In the Issues Paper, Review of Privacy (IP 31), the ALRC asked whether the Commissioner’s powers to make PIDs and TPIDs were appropriate and administered effectively.[195] Most stakeholders submitted that the powers are appropriate,[196] with the OPC suggesting that they provided ‘necessary flexibility’ to respond to situations where ‘the operation of the high level privacy principles in the Privacy Act may be inconsistent with the public interest’.[197]
47.133 The OPC noted, however, that it lacks any discretion under the Privacy Act to dismiss an application for a PID or decline to consider it. This means that once an application is made to the OPC, it must embark on the lengthy consultation process set out in the Act. The OPC submitted that ‘as such, there is a risk that an application could be made frivolously or vexatiously or where there is clearly no merit and the Commissioner would then be bound to undertake full consideration of the matter’.[198]
47.134 To address the above concerns, and give the OPC greater flexibility in the PID process, the ALRC proposed that the Privacy Act should be amended to give the Commissioner discretion to decline to accept an application for a PID where the Commissioner is satisfied that the application is frivolous, vexatious, misconceived or lacking in merit. It was noted that a decision to decline an application would be subject to judicial review.[199]
Submissions and consultations
47.135 The OPC supported the proposal.[200] A number of other agencies and stakeholders also supported the proposal on the basis that it would conserve the OPC’s resources.[201]
47.136 Privacy advocates, however, were concerned that the proposal would allow the Privacy Commissioner to dismiss PID applications too readily.[202] The Cyberspace Law and Policy Centre argued that the proposal should be limited to applications:
where the Commissioner is satisfied that the application is misconceived as to the purposes of public interest determinations, or so lacking in merit as not to be worthy of public consideration.[203]
47.137 PIAC agreed that the Commissioner should have the discretion to refuse to accept applications for PIDs where they are frivolous, misconceived or vexatious, on the basis that these are factors that are usually obvious on the face of an application. In the case of applications lacking in merit, however, it argued that
it is difficult to see how the Commissioner could make a decision that an application for a public interest determination is ‘lacking in merit’ without first accepting the application and conducting some preliminary investigations.[204]
ALRC’s view
47.138 The ALRC recommends that the Privacy Act be amended to give the Privacy Commissioner a discretion to decline to accept an application for a PID where the Commissioner is satisfied that the application is frivolous, vexatious or misconceived. An application that is misconceived may, for example, be an application where the applicant has misunderstood the purpose of a PID or the requirements of the public interest test. This recommendation would set a high standard for dismissing an application outright, and should operate to encourage applicants to discuss their applications with the Commissioner before submitting them, consistent with the PID guidelines. The ALRC also notes that any decision to refuse to accept an application would be subject to judicial review.
47.139 In the case of applications lacking in merit, the ALRC agrees with PIAC’s view that some investigation of the issues must be made before such an assessment could be reached. Indeed, the purpose of the consultation process is to assess whether the application has merit, in the sense that the public interest in allowing the waiver of compliance outweighs the public interest in upholding the principle. Removal of the words ‘lacking in merit’ from the original proposal also should meet some of the concerns of privacy advocates that an application may be dismissed too easily by the Commissioner.
47.140 The ALRC does not recommend any reform of the public interest test for the making of a PID or TPID. While the ALRC is recommending that the public interest test used in relation to medical research is changed to ‘outweighs’ rather than ‘substantially outweighs’,[205] there are important distinctions between that area and PIDs, which justify keeping the higher test for PIDS. In particular, PIDs have the potential to reduce the protection provided by the privacy principles across broad sectors for significant periods of time. In contrast, approval by a Human Research Ethics Committee is limited to specific research activities for the duration of those activities.
Recommendation 47-8 The Privacy Act should be amended to empower the Privacy Commissioner to refuse to accept an application for a Public Interest Determination where the Privacy Commissioner is satisfied that the application is frivolous, vexatious or misconceived.
[187] There are similar instruments in other Australian jurisdictions: see Information Act 2002 (NT) s 81; Privacy and Personal Information Protection Act 1998 (NSW) s 41. As at April 2008, there were 10 public interest determinations registered, dated from September 1989 with the most recent determination dated December 2007. There are no current temporary public interest determinations: Office of the Privacy Commissioner, Public Interest Determinations <www.privacy.gov.au/act/publicinterest/
index.html> at 15 May 2008.
[188]Privacy Act 1988 (Cth) s 72(1)–(2). Emphasis added.
[189] Ibid s 72(4).
[190] Office of the Federal Privacy Commissioner, Public Interest Determination Procedure Guidelines (2002).
[191] See the Office of the Privacy Commissioner, Public Interest Determinations <www.privacy.gov.au/act/
publicinterest/index.html> at 15 May 2008.
[192]Privacy Act 1988 (Cth) ss 80A(3)(a), 80B.
[193] Ibid s 80A(1).
[194] Ibid s 80B(3)–(4).
[195] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 6–18.
[196] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Federal Police, Submission PR 186, 9 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; Institute of Mercantile Agents, Submission PR 101, 15 January 2007.
[197] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. Similar comments on the benefits of PIDs were made in Australian Federal Police, Submission PR 186, 9 February 2007; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.
[198] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[199] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 44–8.
[200] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[201] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007.
[202] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[203] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[204] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[205] Rec 65–4.