Compliance a must with new NSW disclosure requirements

18  January 2016

The Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) sets out the legislative framework for the management and protection of personal information by NSW public sector agencies.

In late November 2015, the NSW Parliament passed the Privacy and Personal Information Protection Amendment (Exemptions Consolidation) Bill 2015 (Amending Legislation). The Amending Legislation heralds a suite of amendments to the PPIPA. Some of the amendments have already come into effect.

The focus of this Insight is on the changes to section 19 of the PPIPA, which concern the disclosure of personal information to persons or bodies outside NSW and to Commonwealth agencies. Those changes come into effect on 1 April 2016.

In this Insight we summarise the key changes to the PPIPA, discuss the background to the section 19 changes and look at the implications of those changes for the NSW public sector.

WHAT IS CHANGING

The Amending Legislation:

  • Introduces new conditions in section 19(2) of the PPIPA (which will replace existing subsections 19(2) to (5)) about when public sector agencies may disclose personal information to interstate persons or bodies or to Commonwealth agencies.
  • Amends the PPIPA to permit public sector agencies to collect, use and disclose personal information for certain research purposes based on existing exemptions applicable to health information under the Health Records and Information Privacy Act 2002 (NSW) (HRIPA).
  • Clarifies that the exemptions in the PPIPA relating to law enforcement extend to law enforcement for the purposes of the Commonwealth or another State or Territory.
  • Extends the meaning of "investigative agency" in section 3 of the PPIPA to include additional public sector agencies with investigative functions or that conduct an investigation on behalf of another public sector agency.
  • Incorporates into the PPIPA a number of long-term NSW Privacy Commissioner public interest directions that provide exceptions to the Information Protection Principles (IPPs).

SPOTLIGHT ON SECTION 19

Section 19(2) currently provides that a public sector agency must not disclose the personal information that it holds to any individual or body who is in a jurisdiction outside NSW or to a Commonwealth agency unless there is a relevant privacy law in force that applies to the personal information concerned, or the disclosure is permitted under a privacy code of practice (Privacy Code of Practice). Subsections (3) to (5) provide guidance in relation to the operation of subsection (2). For example, subsection (4) stipulates that the Privacy Commissioner is to prepare a Privacy Code of Practice. Subsection (5) indicates that subsection (2) does not apply until a Privacy Code of Practice is made.

One of the difficulties with section 19 is that despite being over a decade old, no Privacy Code of Practice has been made for the purposes of section 19(2) and therefore the section has never applied in practice. In addition, the former Administrative Decisions Tribunal in GQ v NSW Department of Education and Training [2008] (No 2) NSWADT 319 (the GQ decision) has interpreted section 19(2) in such a manner as to place no effective limitations on interstate disclosures.

Up until now, this has created an uncertain landscape for NSW government agencies to operate within, with many agencies (notwithstanding the GQ decision) adopting a conservative approach of ensuring compliance with the requirements of section 18 which prescribe general limits on disclosure of personal information. It has also created an inconsistency with the HRIPA and equivalent transborder disclosure frameworks in other States, such as Victoria and Queensland.

The Amending Legislation seeks to address this gap by introducing a list of conditions on when NSW government agencies may disclose personal information outside NSW and to Commonwealth agencies. Those conditions are:

  • The agency reasonably believes the recipient is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the IPPs;
  • The individual expressly consents to the disclosure;
  • The disclosure is necessary for the performance of a contract between the individual and the agency or for the implementation of pre-contractual measures taken in response to the individual's request;
  • The disclosure is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the agency and a third party;
  • All of the following apply:

    • the disclosure is for the benefit of the individual;
    • it is impracticable to obtain the consent of the individual; or
    • if it were practicable to obtain such consent, the individual would be likely to give it;
  • The agency reasonably believes the disclosure is necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person;
  • The agency has taken reasonable steps to ensure that the information will not be held, used or disclosed by the recipient inconsistently with the IPPs; or
  • The disclosure is permitted or required by an Act or any other law.

WHAT THE CHANGES WILL MEAN FOR NSW GOVERNMENT AGENCIES

As a result of the GQ decision, sections 19(2) to (5) have proven to be a vague area which has led to compliance risks for NSW government agencies.

The Amending Legislation is a positive step as it removes the reference to a Privacy Code of Practice and provides some clarity about when agencies can disclose personal information outside NSW and to Commonwealth agencies. It ensures that the regime governing the disclosure of personal information outside NSW and to Commonwealth agencies is more closely aligned with the original object of section 19(2) to safeguard and protect personal information whether it is located or used within or outside NSW. It also brings section 19 in line with the HRIPA.

Because of the wide-ranging nature of new section 19(2), the changes will, in practice, provide significant scope for NSW government agencies to disclose personal information outside NSW and to Commonwealth agencies. For example, under the new legislation a disclosure can be made for the broad purposes of being necessary for the performance of a contract between the individual and a NSW government agency or the performance of a contract concluded in the interest of the individual between a NSW government agency and a third party. It will be interesting to see how these amendments are interpreted by courts and tribunals in practice.

For now, subject to ensuring compliance with the new requirements, we do not anticipate a significant change in how NSW government agencies deal with interstate disclosures and disclosures to Commonwealth agencies.

In the lead up to commencement of the new provisions on 1 April 2016, NSW government agencies should review any contracts which involve the disclosure of personal information outside of NSW or to Commonwealth agencies to ensure they comply with the changes. This would include reviewing:

  • Cloud contracts where data is stored outside of NSW.
  • Contracts involving the exchange of personal information with Commonwealth agencies.
  • Contracts with service providers located outside of NSW, such as outsourcing agreements.

Agencies should also review their consent forms and procedures and consider whether any changes are required (or whether any procedures may be streamlined) in respect of the collection and disclosure of personal information as a result of the changes.

Peter Mulligan

I am passionate about the success of the firm's clients and doing everything to ensure we exceed expectations.

Peter Mulligan Partner

Peter is a specialist in all areas of commercial and technology law, with a particular focus on projects involving complex contractual structures and arrangements. He is recognised by his clients and peers as an expert in tendering and procurement.

Peter's clients call upon him to advise on projects involving the acquisition, licensing or supply of large-scale hardware, information technology, telecommunications systems and other goods and services. His expertise includes outsourcing, managed services and bespoke contractual arrangements.

In the government sector, Peter is an expert in State and Federal procurement, advising government departments and agencies on procurement reform, tendering, legislative compliance, delegations of authority and agency restructures.

One of Peter's career highlights has been acting for Global Television (now NEP Australia), on its agreement to design, install and operate the international broadcast centre for the 2014 Commonwealth Games in Glasgow, Scotland. This included advising on the tender by the Organising Committee, structuring of arrangements for the supply of host broadcast services for the Games, and negotiations in London of a complex suite of contracts to document the deal including with UK joint venture partner Sunset + Vine.

Peter regularly presents to clients and industry on complex contractual issues, including indemnities, the Civil Liability Act 2002 (NSW), limitations and exclusions of liability, the law of penalties, product liability and the Australian Consumer Law.

">
see my profile
Monique Azzopardi

I desire the very best for HDY's clients. I deliver practical legal solutions that are legally and commercially robust.

Monique Azzopardi Senior Associate

Monique is a specialist in commercial and government law, with a particular focus on procurement, technology projects and transactions, intellectual property and privacy.

Monique has broad commercial experience acting for government and private sector clients, particularly those in the technology, health, education and transport industries.

Monique provides specialist advice relating to technology projects and transactions, the procurement of goods, services and major works, intellectual property, data protection and the Australian Consumer Law. She is regularly called upon to negotiate and draft complex commercial agreements.

With strong public sector knowledge and experience, Monique advises government clients on statutory interpretation and compliance, administrative law, probity issues, government decision making and all aspects of tendering and procurement.

Monique has gained significant in-house experience by undertaking secondments for different entities, including as Relieving Principal Legal Officer at the Department of Education and more recently as Acting Legal Counsel Commercial, Projects and Safety at Transport for NSW.

">
see my profile