The ACT Privacy Regime
Contributed by Dr Bruce Baer Arnold, University of Canberra and current to February 2022.
At a glance
The Territory privacy regime has four aspects that are significant for readers concerned with information or other privacy.
The first aspect, implicit in the preceding part of this chapter, is that the Territory is part of a federal system of government. Its law co-exists with and does not override Commonwealth enactments. Some behaviour may be in breach of both Territory and Commonwealth law. Reference under ACT law to human rights, notably in the
Human Rights Act 2004 (ACT), does not provide scope for enforcement of privacy rights at the expense of the Commonwealth’s legislation regarding the Australian Security Intelligence Organisation or Australian Signals Directorate.
The second aspect is that the Territory inherited and has adapted much law from New South Wales, in particular codification of common law (sometimes very old) regarding criminal activity. That law is often relevant to privacy because, for example, it deals with trespass, stalking and offensive behavior such as covert private recording of people in bathrooms and bedrooms. Such Territory law is independent of information privacy and of Commonwealth law. It covers private individuals. Its main value may be deterrence through criminalisation rather than scope for compensation where privacy has been disregarded.
The third aspect is that the Territory has enactments that specifically address information privacy aspects of the Territory’s public administration (ie government agencies and public hospitals/clinics) and of sectors, of which the most notable is workplace privacy (irrespective of whether the workplace is in the public or private sectors).
The fourth aspect is that although the Territory aspires to be a progressive ‘human rights’ regime there is no enforceable overall right to privacy and no single all-encompassing privacy enactment. This part of the chapter accordingly highlights three salient Territory enactments before pointing to some other sources of law in the ACT.
Specific reference in the Territory’s
Human Rights Act 2004 was noted above.
Section 12(a) of that Act states that everyone has the right ‘not to have his or her privacy, family, home or correspondence interfered with unlawfully or arbitrarily’.
That provision has sometimes been misread as providing people in the ACT with a comprehensive enforceable right, ie scope to disregard Territory or Commonwealth enactments on the basis that such legislation is contrary to what the litigant perceives as that person’s privacy. Alternately, people have misread
s 12 as requiring ACT courts/tribunals to find that legislation is invalid and accordingly cannot be enforced because it is contrary to the
Human Rights Act. That misunderstanding may be of particular significance for self-represented litigants, some civil society advocates and of course ‘sovereign citizens’ who selectively deny the authority of Commonwealth/Territory law, courts and tribunals.
As noted above the Act does not provide for comprehensive invalidation of ACT enactments regarding the public and private sectors. Courts have noted the reference to ‘unlawful’ and ‘arbitrary’, further commenting on appropriateness (centred on proportionality) in action by officials – including correctional facility staff and police – and businesses. One conclusion to be drawn from preceding paragraphs in this chapter, and more broadly from other chapters in this Handbook, is that activity that an individual subjectively considers to be egregiously invasive of their privacy may be specifically authorised by an enactment and deemed by courts on an instance by instance basis to be appropriate given that human rights involve balances and that privacy rights do not ‘trump’ other rights.
Until 2014 the Territory was covered by the national privacy enactment, consistent with the ACT’s slow movement to maturity. The ACT Legislative Assembly belatedly developed a discrete information privacy enactment – the
Information Privacy Act 2014 (ACT) – that replaced coverage by the Privacy Act 1988 (Cth). It complements the
Workplace Privacy Act 2011 (ACT) and the
Health Records (Privacy and Access) Act 1997 (ACT), discussed below.
As the title implies, the Act is restricted to information privacy (and thus for example does not extend to restrictions on searches of inmates of the Alexander
McConnachie correctional facility). It is modelled on the 1988 Commonwealth Act, with the Commonwealth Privacy Commissioner (within the OAIC) also serving as the Territory Privacy Commissioner.
Its objects are to -
a) promote the protection of the privacy of individuals
b) recognise that the protection of the privacy of individuals is balanced with the interests of public sector agencies in carrying out their functions or activities
c) promote responsible and transparent handling of personal information by public sector agencies and contracted service providers
d) provide a way for individuals to complain about an alleged interference with their privacy.
This Act covers the ACT government rather than the private sector (with medium and large businesses instead covered by the national Privacy Act), with some exceptions. It thus covers enterprises that are contracted by Territory agencies as service providers in relation to that service provision. It excludes boards of inquiry under the
Inquiries Act 1991 (ACT), judicial commissions and the judicial council under the
Judicial Commissions Act 1994 (ACT), royal commission under the
Royal Commissions Act 1991 (ACT), Icon Water and Distribution, and agencies prescribed by regulation.
Under the Act ‘personal information’ is information or an opinion about an identified individual (or an individual who is reasonably identifiable) irrespective of whether the information or opinion is true and whether it is recorded in a material form. It does not include personal health information about the individual, for which readers should instead look to the
Health Records (Privacy and Access) Act 1997 (ACT), noted below.
The ACT centres on 13 Territory Privacy Principles, independent of but closely resembling the APPs discussed in the preceding part of this chapter.
Territory Privacy Principles (TPPs)
The TPPs are structured in five parts and are found in Schedule 1 of the Act.
Part One identifies the requirement for ACT ‘public sector agencies to consider the privacy of personal information, including ensuring that public sector agencies manage personal information in an open and transparent way’. Part Two deal with the collection of personal information, including unsolicited personal information. Part Three deals with how the agencies deal with personal information, including use and disclosure. Part Four covers the integrity of that information, including data security. Part Five deals with requests for access to and the correction of the information.
The TPPs in summary are:
- TPP 1: open and transparent management of personal information
- TPP 2: anonymity and pseudonymity
- TPP 3: collection of solicited personal information
- TPP 4: dealing with unsolicited personal information
- TPP 5: notification of the collection of personal information
- TPP 6: use or disclosure of personal information
- TPP 8: cross‑border disclosure of personal information
- TPP 10: quality of personal information
- TPP 11: security of personal information
- TPP 12: access to personal information
- TPP 13: correction of personal information.
Specific features of each TPP closely resemble this in the APP discussed above.
The
Workplace Privacy Act 2011 (ACT) extends across locations visited by most people in Canberra on an ongoing basis: offices, factories, warehouses, retail and entertainment facilities. It predates the more restricted
Information Privacy Act but centres on information specific to individuals.
Its coverage includes the electronic spatial tracking of employees in transit or otherwise not at the employer’s premises. The Act has been criticised as overly broad, on the basis that it does not restrict lawful surveillance by employers to what is ‘reasonable and necessary’.
The ‘main object’ of the Act is regulation of ‘the collection and use of workplace surveillance information’, with ‘surveillance’ meaning surveillance using a ‘surveillance device’. The definition of the device is broader than in ‘listening devices’ enactments elsewhere in Australia: it comprises a data surveillance device, optical surveillance device, tracking device or device of a kind prescribed by regulation. A ‘tracking device’ is ‘an electronic device capable of being used to work out or monitor the location of a person or an object or the status of an object’ and thus includes both biometric and GPS technologies.
The Act permits surveillance using closed circuit television and other devices within public/private premises, subject to ‘employees’ (including contractors and volunteers) to those premises being notified – through for example signage rather than through an individual letter or other personal communication – that surveillance may take place. That notification is found in other jurisdictions, with businesses, educational/research institutions and government agencies for example using ‘log-on’ warnings to alert people that using a corporate network signifies the person’s acceptance of scrutiny of email, web browsing and other network applications – featured in a substantial number of employment disputes. (Such acceptance is recognised in section 19 of the Act.)
The Act however prohibits surveillance in ‘private areas’, notably toilets, change rooms, showers, ‘parent ‘or nursing rooms, prayer rooms, sick bays and first-aid rooms on the basis that there is a community expectation of privacy in those spaces. Note that the Act coexists with provisions under ACT criminal law regarding unauthorised private use of video devices (including smartphones) by voyeurs, evident in several court cases.
The Act provides scope for authorised covert (ie un-notified) surveillance by employers who are able to demonstrate to the Magistrates Court that there is a reasonable suspicion that a person is engaging in unlawful activity and the that covert surveillance is necessary to prevent the unlawful activity. In the absence of notice or authorisation the employer commits an offence. The employer is also required to ensure that records created through surveillance devices – covert or otherwise – are protected from ‘misuse, loss, unauthorised access, modification or disclosure’. Under section 23 of the Act an employee has a limited right to access the surveillance data about that person.
Health Records
The
Health Records (Privacy and Access) Act 1997 (ACT) covers public and private health providers in the Territory; it is not restricted to ACT public hospitals. It is a consumer-oriented statute that provides for ‘privacy rights in relation to personal health information’, the ‘integrity of records containing personal health information’ and ‘access to personal health information contained in health records, responding to criticisms of the High Court’s 1996 decision in Breen v Williams. The Act also provides for a ‘consumer’ to receive an explanation of the consumer's personal health information and seeks to ‘encourage agreement, concerning the exercise of a right or performance of an obligation’ under the Act.
The ACT enactment is independent of the national
My Health Records Act 2012 (Cth) dealing with the national
MyHR – formerly PCEHR – electronic health records scheme.
Under the Act ‘personal health information’ is defined as any personal information (including fact and opinion) relating to the individual’s health, illness or disability or collected by a health provider in relation to the consumer's health, illness or disability. The definition of ‘health service’ is capacious, covering any activity intended or claimed by the service provider to assess, record, improve or maintain the physical, mental or emotional well-being or to diagnose or treat an illness or disability. It includes a disability, palliative or aged care service that involves the making or keeping of personal health information. The intention is to cover information without a restriction to a specific format, and the Act thus encompasses all or part of a record in a documentary or electronic form, such as clinical notes, test results, photographs and X-rays but not de-identified research material.
For many readers the salient feature is provides that an individuals has a right of access to his or her medical records unless the provision of the information would constitute a significant risk to the life or health of any person, would contravene a law or court order, or the record is subject to an obligation of confidentiality. The Act includes specific provisions regarding access to health records of children, deceased people and adults who are legally incompetent and subject to an enduring power of attorney or a guardianship order and deceased people. Subject to safeguards, guardians and legal representatives have the same access rights as a living adult individual would have to their own health record.
The Act centres on 12 Privacy Principles, summarised as follows. Note that they are not identical with the APPs and the TPPs.
Principle 1: Manner and purpose of collection of personal health information
Principle 2: Purpose of collection of personal health information to be made known
Principle 3: Solicitation of personal health information generally
Principle 4.1: Storage, security and destruction of personal health information—safekeeping requirement
Principle 4.2: Storage, security and destruction of personal health information—register of destroyed or transferred records
Principle 4.3: Storage, security and destruction of personal health information—destruction of health information
Principle 5: Information relating to records kept by record keeper
Principle 6: Access to health records by people other than the consumer
Principle 7: Alteration of health records
Principle 8: Record keeper to check accuracy etc of personal health information before use etc
Principle 9: Limits on use of personal health information
Principle 10: Limits on disclosure of personal health information
Principle 11: Relocation and closure of health service practice
Principle 12.1: Consumer moves to another health service provider
Principle 12.2: Health service provider moves to another health service practice
Under the Act it is an offence to request or obtain access to a health record by intimidation or false representation, and (in the absence of reasonable grounds) to try to get a consumer to refrain from requesting access to a record, for requesting a review of a claim for exemption or to withdraw either of these requests. Destroying, defacing or otherwise damaging a health record (or removing it from the Territory) to evade or frustrate the operation of the Act is also an offence.
The Act is not administered by the Territory Privacy Commissioner (in other words by the OAIC). Instead, it is the responsibility of the Health Commissioner within the ACT Human Rights Commission. That results in a different path for complaints about health information privacy in the Territory.
Other ACT legislation
This chapter began with a discussion of different perceptions of privacy (and privacy rights) and different circumstances that might involve an inappropriate interference with a person’s privacy. One reason for that discussion was to highlight that information privacy is not the only type of privacy and that on a day by day basis many people will be more concerned about, for example, intrusive image-making than sharing of their Tax File Number or other identifiers and display of their driver’s licence as a condition for entry to a club. Some people will be deeply concerned about access to information about sexual affinity, marital status, legitimacy or adoption. Other may be indifferent. Some people will incorrectly assume that they have a right to restrict mainstream media reporting of what appears in a court report or at a funeral.
In thinking about existing protections for privacy under ACT law and the scope for law reform it is therefore important to recognise that protection may be specifically protected or specifically reduced in a range of Territory enactments that coexist with protection under contract, equity and confidentiality law. Such enactments include the
- Freedom of Information Act 2016 (ACT),
- Coroners Act 1997 (ACT),
- Crimes (Protection of Witness Identity) Act 2011 (ACT),
- Spent Convictions Act 2000 (ACT),
- Corrections Management Act 2007 (ACT),
- Crimes (Surveillance Devices) Act 2010 (ACT),
- Adoption Act 1993 (ACT) and
- Crimes Act 1900 (ACT)
that relate to particular circumstances.
The following part of this chapter highlights some of those circumstances but is not exhaustive and readers should seek legal advice.