Compliance a must with new NSW disclosure requirements
18 January 2016
The Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) sets out the legislative framework for the management and protection of personal information by NSW public sector agencies.
In late November 2015, the NSW Parliament passed the Privacy and Personal Information Protection Amendment (Exemptions Consolidation) Bill 2015 (Amending Legislation). The Amending Legislation heralds a suite of amendments to the PPIPA. Some of the amendments have already come into effect.
The focus of this Insight is on the changes to section 19 of the PPIPA, which concern the disclosure of personal information to persons or bodies outside NSW and to Commonwealth agencies. Those changes come into effect on 1 April 2016.
In this Insight we summarise the key changes to the PPIPA, discuss the background to the section 19 changes and look at the implications of those changes for the NSW public sector.
WHAT IS CHANGING
The Amending Legislation:
- Introduces new conditions in section 19(2) of the PPIPA (which will replace existing subsections 19(2) to (5)) about when public sector agencies may disclose personal information to interstate persons or bodies or to Commonwealth agencies.
- Amends the PPIPA to permit public sector agencies to collect, use and disclose personal information for certain research purposes based on existing exemptions applicable to health information under the Health Records and Information Privacy Act 2002 (NSW) (HRIPA).
- Clarifies that the exemptions in the PPIPA relating to law enforcement extend to law enforcement for the purposes of the Commonwealth or another State or Territory.
- Extends the meaning of "investigative agency" in section 3 of the PPIPA to include additional public sector agencies with investigative functions or that conduct an investigation on behalf of another public sector agency.
- Incorporates into the PPIPA a number of long-term NSW Privacy Commissioner public interest directions that provide exceptions to the Information Protection Principles (IPPs).
SPOTLIGHT ON SECTION 19
Section 19(2) currently provides that a public sector agency must not disclose the personal information that it holds to any individual or body who is in a jurisdiction outside NSW or to a Commonwealth agency unless there is a relevant privacy law in force that applies to the personal information concerned, or the disclosure is permitted under a privacy code of practice (Privacy Code of Practice). Subsections (3) to (5) provide guidance in relation to the operation of subsection (2). For example, subsection (4) stipulates that the Privacy Commissioner is to prepare a Privacy Code of Practice. Subsection (5) indicates that subsection (2) does not apply until a Privacy Code of Practice is made.
One of the difficulties with section 19 is that despite being over a decade old, no Privacy Code of Practice has been made for the purposes of section 19(2) and therefore the section has never applied in practice. In addition, the former Administrative Decisions Tribunal in GQ v NSW Department of Education and Training  (No 2) NSWADT 319 (the GQ decision) has interpreted section 19(2) in such a manner as to place no effective limitations on interstate disclosures.
Up until now, this has created an uncertain landscape for NSW government agencies to operate within, with many agencies (notwithstanding the GQ decision) adopting a conservative approach of ensuring compliance with the requirements of section 18 which prescribe general limits on disclosure of personal information. It has also created an inconsistency with the HRIPA and equivalent transborder disclosure frameworks in other States, such as Victoria and Queensland.
The Amending Legislation seeks to address this gap by introducing a list of conditions on when NSW government agencies may disclose personal information outside NSW and to Commonwealth agencies. Those conditions are:
- The agency reasonably believes the recipient is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the IPPs;
- The individual expressly consents to the disclosure;
- The disclosure is necessary for the performance of a contract between the individual and the agency or for the implementation of pre-contractual measures taken in response to the individual's request;
- The disclosure is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the agency and a third party;
- All of the following apply:
- the disclosure is for the benefit of the individual;
- it is impracticable to obtain the consent of the individual; or
- if it were practicable to obtain such consent, the individual would be likely to give it;
- The agency reasonably believes the disclosure is necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person;
- The agency has taken reasonable steps to ensure that the information will not be held, used or disclosed by the recipient inconsistently with the IPPs; or
- The disclosure is permitted or required by an Act or any other law.
WHAT THE CHANGES WILL MEAN FOR NSW GOVERNMENT AGENCIES
As a result of the GQ decision, sections 19(2) to (5) have proven to be a vague area which has led to compliance risks for NSW government agencies.
The Amending Legislation is a positive step as it removes the reference to a Privacy Code of Practice and provides some clarity about when agencies can disclose personal information outside NSW and to Commonwealth agencies. It ensures that the regime governing the disclosure of personal information outside NSW and to Commonwealth agencies is more closely aligned with the original object of section 19(2) to safeguard and protect personal information whether it is located or used within or outside NSW. It also brings section 19 in line with the HRIPA.
Because of the wide-ranging nature of new section 19(2), the changes will, in practice, provide significant scope for NSW government agencies to disclose personal information outside NSW and to Commonwealth agencies. For example, under the new legislation a disclosure can be made for the broad purposes of being necessary for the performance of a contract between the individual and a NSW government agency or the performance of a contract concluded in the interest of the individual between a NSW government agency and a third party. It will be interesting to see how these amendments are interpreted by courts and tribunals in practice.
For now, subject to ensuring compliance with the new requirements, we do not anticipate a significant change in how NSW government agencies deal with interstate disclosures and disclosures to Commonwealth agencies.
In the lead up to commencement of the new provisions on 1 April 2016, NSW government agencies should review any contracts which involve the disclosure of personal information outside of NSW or to Commonwealth agencies to ensure they comply with the changes. This would include reviewing:
- Cloud contracts where data is stored outside of NSW.
- Contracts involving the exchange of personal information with Commonwealth agencies.
- Contracts with service providers located outside of NSW, such as outsourcing agreements.
Agencies should also review their consent forms and procedures and consider whether any changes are required (or whether any procedures may be streamlined) in respect of the collection and disclosure of personal information as a result of the changes.