Guide - Seeking a Public Interest Direction under NSW privacy laws

View the document below or download it here Guide - Seeking a Public Interest Direction under NSW privacy laws October 2019

1. What is a Public Interest Direction?

Under the NSW privacy legislation the NSW Privacy Commissioner may make, with the approval of the relevant Minister, a Public Interest Direction to exempt or modify the requirements for a NSW public sector agency (or agencies) to comply with:

  • Information Protection Principles (IPPs) under the Privacy and Personal Information Protection Act 1998 (PPIP Act),
  • Health Privacy Principles (HPPs) under the Health Records and Information Privacy Act 2002 (HRIP Act), and/or
  • Privacy or health privacy codes of practice under the PPIP Act or HRIP Act.

A Public Interest Direction is a short-term mechanism that provides flexibility for agency program trials, transitional arrangements or an urgent agency need to collect, use, disclose and/or access personal information.

A direction:

  • allows agencies to temporarily depart from the IPPs, HPPs or provisions of an existing code of practice for a specific period of time if it is in the public interest.
  • may be required if an agency has developed or wishes to test a specific temporary program or project or wishes to engage in a particular activity that requires the collection, use, disclosure and/or access to personal information and where the agency considers that this would be in breach of the IPPs, HPPs or existing code of practice.
  • cannot permit conduct that would be unlawful under other laws.
  • does not override other laws, contracts or agreements, which already affect an agency.

If a long term exemption or modification is required, a privacy code of practice, or, legislative amendment to agency enabling legislation or to the privacy legislation may be more appropriate.

Agencies should contact their Privacy Contact Officer and/or legal team about options and refer to the privacy pages of the IPC website and Privacy Governance Framework for further information about privacy codes of practice.

2. The public interest test to assess the need for a direction

A fundamental consideration for the agency and the Privacy Commissioner is whether the public interest to make the direction is greater than the impact on privacy. Under section 41 of the PPIP Act and/or section 62 of the HRIP Act the Privacy Commissioner must consider the ‘public interest’ involved to determine whether a direction should be made under each Act.[1]

This involves balancing:

  1. the public interest in requiring the agency/agencies to comply with the IPPs, HPPs or existing code of practice, with
  2. the public interest in making the direction.

To assist the Privacy Commissioner in this decision an agency should provide a clear description of why the exemption or modification to the IPPs, HPPs or code of practice is necessary to support or contribute to the project, program or policy outcomes. An agency should also clearly articulate the public interest or benefit in the modification or exemption in order for the program or project to operate. This will usually require describing the information being collected, used, disclosed or accessed, why this is necessary and what benefits will flow from the proposed collection, use, disclosure or access.

Some examples of how to articulate the public interest are in Appendix 1.

3. Steps in preparing a direction
  1. The agency thoroughly analyses and understands:
  1. The operational need for collection, use, disclosure and/or access to personal information and how it might be in breach of the IPPs, HPPs or existing code of practice, and
  2. Whether a mechanism already exists to undertake the program or project.

This process should be completed in consultation with the agency’s privacy or legal unit. Undertaking a Privacy Impact Assessment will be helpful at this preliminary stage. The Privacy Commissioner strongly recommends a Privacy Impact Assessment at the initial stage of a project.

The IPC has developed a checklist to assist agencies with the process of preparing a Public Interest Direction. The checklist outlines the preliminary steps an agency should undertake before seeking advice from the IPC.

  1. The agency contacts the Privacy Commissioner to advise and discuss its need for a direction.
  2. The agency submits the draft direction to the Privacy Commissioner for consideration with a covering letter making the case for the direction. Appendix 1 provides detailed guidance on the information that an agency should include in a request for a direction.
  3. The agency is encouraged to also advise the Department of Communities and Justice policy team and/or Ministry for Health’s legal team that a draft direction has been submitted to the Privacy Commissioner for consideration.
  4. The Privacy Commissioner will review the draft direction and may seek further information, justification and/or amendments to the draft direction.
  5. If the Privacy Commissioner is not satisfied that there is a sufficient public interest to justify an exemption from or modification to the IPPs, HPPs or existing code of practice, this is communicated to the agency.
  6. If appropriate the Privacy Commissioner will brief the relevant Minister/s and/or Minister for Health on requests for Public Interest Direction/s.
  7. If the Privacy Commissioner considers that there is a sufficient public interest, the Privacy Commissioner will write to the relevant Minister/s and/or Minister for Health (as appropriate), seeking approval for the direction.
  8. If the relevant Minister/s and/or Minister for Health approves the making of the direction, the Privacy Commissioner will make the direction by signing the final direction. The direction comes into effect once the Privacy Commissioner signs the document.
  9. The Privacy Commissioner will advise the agency that the direction has been made, publish the direction on the relevant website and notify relevant stakeholders.
4. Timeframe to make a direction

The process to obtain a direction can vary due to its complexity and other factors.

Agencies seeking a direction will need to factor in for the Privacy Commissioner, relevant Minister/s and/or Minister for Health to consider and, if satisfied, approve the making the direction. If an agency considers that a direction is needed urgently, it should contact the Privacy Commissioner to discuss how it may be expedited.

5. Resources
 
For more information

Contact the Information and Privacy Commission NSW (IPC):

Freecall:         1800 472 679
Email:             ipcinfo@ipc.nsw.gov.au
Website:         www.ipc.nsw.gov.au

 
Appendix 1: Making the case for a Public Interest Direction

To assist the Privacy Commissioner in assessing the public interest to make the proposed Public Interest Direction in accordance with the PPIP Act or HRIP Act, agencies should clearly describe:

  1. The background for the direction, such as:
  • authority or decision for the specific program or project (e.g. the legislative or policy basis).
  • the purpose or objective of the program or project.
  • the particular issue or problem being addressed in the proposed direction.
  • the duration for the proposed direction (noting that directions are temporary in nature).
  • whether other agencies have been consulted on the draft direction.
  • whether a Privacy Impact Assessment was conducted, its findings and recommendations and the extent in which the agency will adopt those recommendations.
  1. The specific details of personal or health information that will be collected, used, disclosed or accessed at each point of the program or project. There should be an outline of the proposed information flow between agencies or other organisations.
  2. How the proposed collection, use, disclosure or access would be in breach of the Information Protection Principles (IPPs) and/or Health Privacy Principles (HPPs) or existing code of practice if there was no direction in place, and whether:
    • an exemption or modification to each IPP, HPP or provision in the existing code of practice is sought (or not).
    • the agency has considered other mechanisms to enable information exchange through existing exemptions, changes in legislation or other mechanisms. The agency must explain why other alternative mechanisms are not feasible.
    • the agency will continue to explore a long term mechanism by other means (such as a code of practice, or, an amendment to agency enabling legislation or the privacy legislation).
  3. The public interest or benefit in making the direction, including:
    • a description of why the particular activities or functions require a modification of the IPPs, HPPs or existing code of practice.
    • the short term and or long term benefits from the particular activities or functions arising from the modification of the IPPs, HPPs or existing code of practice (rather than the benefits of the overall program or initiative).

      Note: stating the benefit or objective of the program or project will not usually be sufficient to justify a direction, particularly if other mechanisms can be used to achieve the outcome and comply with legislation. Examples of framing the public benefit in making a direction are:

      • in a direction relating to a casemanagement program for likely reoffenders, the public benefit from collecting personal information is better targeting of the program to select those most likely to benefit – not just ‘reduced offending.’
      • in a direction relating to the roll-out of a new technology in regional areas, the public benefit for sharing information is more timely and comprehensive identification of landholders to support communication and roll-out of infrastructure – not just ‘improved broadband access.’
    • whether there is a government policy or decision that requires an exemption to the privacy principles to be sought (or any other origins).
  4. How any evaluation of the initiative will consider privacy, such as by addressing whether:
    • privacy was taken into account in the design of the program or project.
    • the privacy considerations impact on the outcomes of the program or project.
    • the outcomes of the program or project could have been achieved with a lesser impact on privacy.
  5. Any other information that the agency thinks appropriate and necessary for the Privacy Commissioner’s consideration of the public interest to make the direction. For example:
    • the impact on individu als’ or the community’s privacy interests and/or expectations.
    • the agency’s ongoing governance arrangements to manage the sharing of information.
    • any loss of enforceable privacy rights and any consideration of alternative measures or amendments to avoid loss of those rights. For example, to avoid loss of rights in the event the initiative results in personal and/or health information being
      mis-handled by entities that are not subject to enforceable obligations under the privacy legislation.
 

[1] Section 41(3) of the PPIP Act; section 62(3) of the HRIP Act