I think our privacy laws are too tough. (Collective gasp! An avowed champion of privacy rights thinks the laws are too tough??)
Wait! No! I should clarify, before you think I have lost my mind and gone over to the dark side.
No, I think our laws are too tough to understand, and therefore too hard to comply with. So as a result, we probably don’t have great compliance.
Generally, I believe our laws tend to manage the delicate balancing act between competing public interests, like privacy and medical research, or privacy and law enforcement. But in the expression of that balancing act there are so many permutations, double negatives and sub-clauses of sub-clauses that it can make your brain hurt when you try to figure out exactly what the correct rule is.
I’ve written before about the black holes in NSW privacy law, but today I’m concentrating on the convoluted drafting instead. Unfortunately, much of the problem comes from woolly thinking when amendments are tacked on without much thought for the coherence of the legislation as a whole.
Did you know, for example, that in NSW privacy law there are thirteen differently-phrased exemptions relating to disclosures for law enforcement and investigations alone? Some rules only cover health information; some cover personal information but not ‘sensitive information’; some cover transborder disclosures, but others don’t.
Here’s a flavour of the subtle differences.
- One rule for health information is if the disclosure “is reasonably necessary for the exercise of law enforcement functions by law enforcement agencies in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed”.
- The equivalent rule for ‘sensitive information’ (ethnicity, religion etc) is if the disclosure is “reasonably necessary for the purposes of law enforcement in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed”.
- And the equivalent rule for all the other types of personal information is if the disclosure is “reasonably necessary … in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed”.
Why? Why should there be three differently-worded standards for what is essentially the same public interest ground exemption? Because they were drafted in different decades (1998, 2002 and 2015, to be precise), without much thought to each other, that’s why. Yet agencies need to ensure their internal protocols reflect all three different tests. As a result, too much privacy compliance effort is expended on drafting complicated documents, instead of proactive strategies to deliver better privacy outcomes.
The woolly thinking that goes into rushed drafting, without considering the bigger picture, then leads to further anomalies. For instance, in 2015 an amendment Bill introduced both a new ‘law enforcement’ exemption and a ‘research’ exemption, including from the transborder disclosure rule for non-health personal information. Yet there is no equivalent provision allowing the transborder disclosure of health information for either research or law enforcement reasons. So too bad if the research project to help cure cancer is a national endeavour.
This piecemeal approach to drafting – always tinkering and adding, never actually fixing – has also led to different language applying to what should be common concepts like consent. Some sections demand express consent, while others suggest consent could be inferred. Sometimes the thing that must be consented to is an act (e.g. a particular disclosure), while other times it is a state of being (i.e. the state of being non-compliant with a particular rule).
Another example is the ‘emergency scenario’ exemption. In relation to disclosing health information, an organisation needs to “reasonably believe” their disclosure to be necessary; in relation to non-health personal information – but excluding ‘sensitive information’ – they have to “believe on reasonable grounds” that the disclosure is necessary; and for ‘sensitive information’, the disclosure must actually be necessary.
Necessary for what? There the language differs again. Sometimes it is “to lessen or prevent” a threat. Other times it is “to prevent or lessen”. And sometimes just “to prevent”.
And what threats are we talking about? One rule says “a serious and imminent threat to the life or health of the individual concerned or another person”. Another has the same test, but applies it to life, health “or safety”. A third refers to “a serious threat to public health or public safety”.
Anyone else feel exhausted by the mental gymnastics needed to cope with the differences between what should be three identical rules? (Or even better – just one rule!) If the privacy laws were easier to follow, then compliance would be easier, and organisations could focus on delivering better privacy outcomes.
Here at Salinger Privacy we can’t reduce the red tape, but we have come up with a way to untangle the knots for you.
Our new guide, Untangling Privacy, is designed to help you quickly navigate your way through the NSW privacy laws. It is relevant for private sector organisations and State-owned corporations in NSW which are regulated by HRIPA, and NSW public sector agencies (including universities and local councils) regulated by both PPIPA and HRIPA.
The guide offers a set of visual flowcharts, with yes/no answers determining your path, to quickly guide you through the NSW Disclosure principles – and all the convoluted exemptions to those principles. It reflects all the amendments to PPIPA which commenced in 2016, including the new ‘transborder’ rule.
So now you can untangle the knotty legislative rules to quickly figure out the answer to the question: Can we disclose this?
Photo (c) Shutterstock