On 1 April, a new Transborder Disclosure principle will commence in NSW. The revised section 19(2) of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA), will – if it is interpreted the correct way – raise the bar when public sector agencies across State and local government seek to disclose information outside NSW, including to the Commonwealth government.
But here’s the kicker – if it is interpreted the correct way.
You see, we’ve had a long and messy history of getting this wrong in NSW. So horribly wrong.
I’ve written before about the ‘not in NSW’ loophole. The way that s.19(2) has been interpreted by the ADT and its successor NCAT resulted in a loophole that effectively allowed for information laundering. Just wash your dirty data somewhere outside of NSW, and then you can bring it back inside the borders, without breaching privacy law.
Say you work at a public sector agency in NSW – a government department, a local council or a university – and you want to disclose something that you know you can’t, because it is prohibited by s.18 of PPIPA, which sets the standard for disclosure.
But according to a history of cases in the Tribunal – first the ADT and then its successor NCAT – if the disclosure is going to be made to someone outside NSW, then the normal disclosure rule at s.18 doesn’t apply. You can just ignore it! Instead, the ‘transborder’ rule at s.19(2) applied. Except that, in a historical quirk, s.19(2) has never actually applied in practice. (For the provision to start applying, it needed a trigger in the form of a Code, which was never made.) It sat on the statute books, without ever actually coming into force, from 1998 until 1 April this year, when it will finally be replaced.
The effect of this interpretation of the interplay between sections 18 and 19(2) meant that any personal information could be disclosed to anyone, without having to pass any kind of test (like ‘with consent’, or ‘for a directly related secondary purpose’, or ‘for a law enforcement purpose’, etc) – so long as the recipient was outside NSW.
That was clearly an absurd outcome. Not only was s.19(2) failing to set a higher standard for transborder disclosures, it was in fact undermining the normal disclosure rule.
In welcome news, last year the Government finally decided to fix this ridiculous situation. The Privacy and Personal Information Protection Amendment (Exemptions Consolidation) Bill 2015 was duly drafted. (The Bill introduced a number of other changes to PPIPA, but here I’m just interested in the transborder disclosure rule.)
Hooray! Champagne all round. Oh, except, oops … I don’t think they got it quite right. I believe there is still the chance that NCAT will interpret s.19(2) the wrong way, and continue to read it as supplanting, rather than supplementing, the standard disclosure rule at s.18.
Sadly, both the Government and the Opposition missed the opportunity to fix this properly. Here’s how.
First, you need to understand the structure of PPIPA:
Section 18 sets the normal rule for disclosure. You know the drill: don’t disclose personal information unless it is for a routine purpose you notified the person about, or it is for a directly related secondary purpose, or you have the person’s consent, or in an emergency, yada yada.
Section 19 then creates “Special restrictions on disclosure of personal information”. It is split into two parts:
- 19(1) is about what the Privacy Commissioner has termed ‘sensitive information’ – information about ethnicity, religion, etc – and sets a very high standard for disclosure, which supplants the rule at s.18; while
- 19(2)-(5) was (and the new s.19(2) will be) about what tends to be called ‘transborder disclosures’, and in my view is intended to supplement, not supplant, the rule at s.18.
The amendment Bill makes no change to s.19(1). It abolishes the old s.19(2)-(5), and replaces it with a new s.19(2).
In the second reading speech of the Bill, the Attorney General Ms Gabrielle Upton stated that the amendment “will impose some additional requirements upon New South Wales public sector agencies when disclosing personal information outside New South Wales, as was originally intended …. This will increase the level of protection for the personal information of New South Wales citizens when it is transferred out of the State”.
Indeed, to reinforce this view, tautology was deloyed in the upper house debate, when the Parliamentary Secretary the Hon David Clarke stated that the new section 19 (2) should be understood as “adding additional requirements” to disclosures of information outside NSW.
So the new transborder provision at s.19(2) is intended to be read as a set of ‘extra’ steps required after you have already satisfied the ‘normal’ disclosure rules at s.18 – which is as it should be. (Think about it – there is no point having a transborder principle at all, unless you want to make it tougher for personal information to leave your own jurisdiction.)
So how it should operate, according to the debate in Parliament (as indeed was, I believe, the original intention in 1998), is that:
- first, any disclosure of personal information must meet the test at s.18, or an exemption to that rule (for example, the disclosure must be for a directly related secondary purpose, or with consent, or whatever), AND THEN …
- if the disclosure happens to be heading out of NSW, then it must ALSO meet the test at s.19(2), or an exemption to that rule.
However as I submitted before a Parliamentary Committee a few days prior, and the Greens accepted and hence argued in debate on the Bill in the Legislative Council, that is not necessarily how NCAT will actually interpret the new s.19(2). To date, the Tribunal has twice interpreted s.19(2) as ‘covering the field’ for disclosures outside NSW, meaning that s.18 can be ignored. I see no reason why NCAT Members would suddenly change their view on that – unless an NCAT Member actually reads the Parliamentary debates in detail, and decides to change their interpretation accordingly.
One of the reasons why NCAT has interpreted things this way is because s.19(1) – the rule in relation to ‘sensitive information’ – absolutely SHOULD be read as ‘covering the field’, supplanting rather than supplementing the ‘normal’ rule at s.18. (The other reason involves understanding Latin – generalia specialibus non derogant anyone?)
This whole problem is because section 19 was poorly drafted in 1998. It is trying to do two different things, requiring two opposite interpretations of how one section should be read in relation to the section immediately before it.
The first half (s.19(1)) is trying to say: “in relation to these special kinds of information (ethnicity, religion etc), please ignore s.18 and INSTEAD do this … ” However the second half (s.19(2)) is trying to say: “in relation to this special kind of disclosure, please keep following but s.18 BUT ALSO do this …”.
Unfortunately the Greens’ suggestion to add an extra clause, to make it bleedingly obvious to NCAT how s.19(1) versus s.19(2) should be interpreted, was not adopted. I think therefore there remains a risk that NCAT will continue to read s.19(2) as being the only rule in relation to transborder disclosures, instead of an extra rule.
I understand that the reason given by the Government for not accepting the Greens’ proposal was so as to enable consistency in drafting between the transborder principles in PPIPA and HRIPA. I don’t think that point is valid. HRIPA does not suffer from the same interpretation problems as PPIPA. (Those of us involved in drafting HRIPA in 2002 learned from the mistakes made in 1998!) HRIPA uses the language of ‘transfer’ in its transborder principle (HPP 14), not ‘disclosure’, so it is already clearer to see that HPP 14 is not supposed to supplant the ‘disclosure’ principle (HPP 11), because it is regulating a slightly different type of conduct anyway.
So … if NCAT does not change its position on how to interpret s.19, I believe that the standard for disclosures heading outside NSW will continue to be weaker than for disclosures made inside NSW.
For example, if NCAT maintains its past position that s.18 does not apply to disclosure if the personal information is heading outside NSW, all an agency needs to do in order to disclose personal information to, say, an agency in Victoria or a business in Singapore is say that the disclosure is “necessary for the performance of a contract between the individual and the public sector agency”. Or they could say “oh, we reasonably believe that the recipient is subject to a law that upholds similar privacy principles” (but note there is nothing in that rule to require that that interstate or foreign law must be capable of actually providing an enforceable remedy to the NSW victim of a privacy breach). Or the disclosing agency could bind the recipient by way of contract to comply with the same standards as NSW; there are multiple ways to comply with the transborder disclosure rule.
Don’t get me wrong. I think Parliament’s intention is clear from the debates on the Bill, that s.19(1) should supplant s.18, while s.19(2) should supplement, but not supplant, s.18. Any disclosures of personal information heading outside NSW must first meet the standard test for disclosures in s.18, and then also meet the extra test for transborder disclosures at s.19(2). Indeed, we have written our new guide to untangling the disclosure rules on the basis of the Government’s statements in Parliament about how s.19(2) should be applied.
But the proof of the pudding will be whether NCAT also sees it that way. So far at least one law firm seems to have interpreted the amendment as meaning that s.18 doesn’t apply to transborder disclosures, and that the amendment Bill therefore has a permissive effect, opening up the way for easier disclosures on very broad grounds – the opposite outcome to the ‘extra privacy protection’ the Government was aiming for. (Update, 7 March: I understand the NSW Privacy Commissioner is in the process of drafting guidance material on the new s.19(2), which may help to guide interpretation.)
I remain of the belief that a further, simple amendment to s.19 could best guide interpretation of the law – something along the lines of: “Subsection (2) is in addition to the requirements of subsection (1) and section 18”. That’s all it would take to fix this mess.
Frustratingly, the passage of the Bill was a missed opportunity to properly fix a problem that was acknowledged by all sides in Parliament. There might have been a better outcome if there had been public consultation about the Bill beforehand, or if either the Government or the Opposition had been more willing to slow down and listen during debate.
If we can’t even get minor amendments right, NSW privacy laws will remain a laughing stock.
Photo (c) Shutterstock
This blog was updated on 7 March 2016.