The Privacy and Personal Information Protection Act, 1998 (the Privacy Act) was introduced in stages with key parts commencing on 1 July, 2000. The Act provides protection for personal information and the privacy of individuals in general. To achieve this the Act introduces a set of privacy principles that regulate the way Council deals with personal information.
A Privacy Code of Practice (for Local Government) was approved by the Attorney General and is binding on all local government authorities. The Code modifies the privacy principles and the public register provisions of the Privacy Act and enables Councils to fulfil their statutory duties whilst still complying with the Act.
Council’s
Privacy Management Plan (PDF 2.3 mb) incorporates the departures brought about by the Privacy Code of Practice (Local Government) and details privacy policies and procedures. The Plan deals with :
- privacy policies & practices
- dissemination of those policies and practices
- procedures for internal review of privacy complaints
- and other matters considered relevant
Under the Act, personal information means any information or opinion about an individual whose identity is apparent or can be reasonably ascertained from the information. This definition covers not only traditional ideas of data storage such as paper files, but also electronic records, video recordings, photographs and genetic material. A person does not have to be clearly identified by the information, it is only necessary that their identity can reasonably be ascertained from the information. Whilst the definition of personal information is very broad, the Act excludes certain types of information from the definition. The most significant exceptions are:
- information about an individual who has been dead for more than 30 years
- information about an individual that is contained in a publicly available (Council) publication
- information about a persons suitability for public sector employment
- a number of exceptions relating to law enforcement investigations
Information is protected by a number of information protection principles contained within the Act. In general terms, the principles apply to the way material is collected, stored, used and disclosed. A summary of the information protection principles appears at the end of this page. It should be noted that the privacy legislation relates to personal information only.
The Act covers all Council documents in so far as the collection, access and use of personal information is concerned. However, with respect to the disclosure of personal information, local councils are in a unique position in that the requirements of the Privacy Act apply only to personal information held on public registers. Therefore, applications or access requests for personal information from sources other than public registers will continue to be dealt with under Section 12 of the Local Government Act or the Freedom of Information Act *.
* Notwithstanding the above, a person may stipulate that access to his/her own personal information be provided under the PPIPA.
The Act defines a public register as a register containing personal information which is required by law to be, or is made, publicly available or open to public inspection. Registers held by Council include:
- Rates record (s. 602 L G Act)
- Register of development applications and consents (cl. 109A) E P & A Act Regs.
- Land register (s.53 L G Act)
- Register of disclosure of interest (s. 450A L G Act)
- Register of candidates campaign donations (s.328 L G Act)
- Register of delegations (s. 377 L G Act)
- Record of approvals (s. 113 L G Act)
- Record of building certificates (s. 149G) E P & A Act
- Accreditation bodies’ register (cl. 81H) E P & A Regs.
- Register of development complying applications (cl. 109B) E P & A Regs.
- Register (s. 52(1)) Environmentally Hazardous Chemicals Act 1985
- Register (s.308) * Protection of the Environment Operations Act, 1997
- Heritage and conservation register (s.170) Heritage Act 1977
The register required to be kept under the Companion Animals Act, 1998 is not considered to be a public register in terms of the PPIP Act.
The Privacy Code allows councils to depart from the requirements of the Act in the following ways.
- Council may allow any person to inspect a public register (and obtain a copy of a single entry or a page of that register) without requiring the person to provide a reason for access and without having to determine if the proposed use is legitimate
- Council may disclose (by way of access, copy or sale) whole or substantial parts of a public register, provided the name and addresses of all current and previous property owners and/or applicants are not disclosed
The Code allows some discretion with respect to public access (sale/copy) to whole or substantial parts of a public register. However, having regard to the intention of the Act and the potential for inappropriate use, Council will continue with the current practice whereby bulk property data will be made available for purchase but listings will not include personal information.
Whilst staff are no longer required to ask a person why they want personal information from a public register, access should still be refused where a particular use is known to be inappropriate. Staff can require the applicant to complete a statutory declaration prior to providing any information if it was thought to be appropriate in any particular case. Statutory declarations are available from Counter Services staff at Nowra and Ulladulla offices. Completed declarations should be forwarded to the Records Section for registration and filing.
According to the Privacy Commission most public concern about privacy breaches from councils relate to personal information disclosed from the rate record. Whilst the rate record has been used for the purpose of these guidelines the examples of information ‘usage’ given would generally relate to other registers held by Council.
The primary purpose of rate record is
to record the value of a parcel of land and record rate liability in respect of that land. The secondary purpose includes recording the owner or lessee of each parcel of land. Due to the emphasis on local government processes and information being open and accountable, it is considered that a secondary purpose for which
all public registers are held includes the provision of access to members of the public. Of course only the minimum amount of personal information should be disclosed in regard to any request.
Legitimate Council use would include:
- levying of rates on a property
- taking out easements over properties
- bushfire hazard & noxious weed control
- law enforcement
- notification of development proposals
- administrative purposes
Information should continue to be made available to other government agencies where it is to be used for legitimate purposes. Council regularly receives requests for ownership and property details where owner notification or contact (individual or multiple) is required or considered appropriate.
Applications for personal information from a register (bulk listings etc) should be in writing and proposed use should be clearly stated. The use should always relate to activities associated with the functions of that agency. (eg DUAP, Waterways, National Parks & Forestry). Other government agencies such as Centrelink and Veterans Affairs will be provided with information where there is a legal requirement to do so.
One of the main reasons for including public register provisions in privacy legislation was to provide a means of addressing widespread public concerns over the commercial sale of council information. It was generally felt that the information was being used for a reason that had no clear relationship to the reasons for which it was collected. The use of information for marketing purposes therefore needs to be distinguished from legitimate professional use by valuers and real estate agents.
With regard to the sale of bulk data (rate record and building/development statistics), Council has taken steps to remove all personal information (names & mailing addresses) from lists and subscribers have been advised accordingly. Lists containing property information only, will continue to be made available for inspection or purchase.
Land transfer notices have traditionally been made available for the inspection of valuers. It is recognised that the names of vendors and purchasers are required in order that valuers can establish whether the price reflects an arms length sale or not. Whilst councils are not the only source of this information this is considered to be a legitimate use and Council will therefore allow this access to continue.
As mentioned there is no longer any requirement to establish a use prior to disclosing personal information. However there will be occasions where staff will need some guidance in regards to legitimate and inappropriate use. Legitimate uses would include those relating to;
- possible sale of a property (prospective purchasers)
- dividing fences
- conveyancing matters
- proposals for use of land (agistment, parking)
- notifications of backyard burning
- contact with property owners re complaints (drainage, trees, noise etc)
- matters involving the safety of a person
- matters where it is considered that the person would want to be contacted
- A person wishing to access their own details from a public register need only to prove their identity to Council.
Whilst inappropriate uses are more difficult to define, examples could include;
- where the information was to be used for marketing purposes
- where it is reasonable to assume that the applicant is contemplating a violent act against the person who is the subject of the enquiry
- where the information is to be used for private debt recovery purposes
- where the person named on the register is unlikely to agree to the release of the information for the reason given (apart from those legitimate uses mentioned above)
There will no doubt be occasions when a value judgement with respect to disclosure will need to be made, however most requests will fall within the examples given. If staff have any difficulty in this regard the advice of the Information Officer should be sought.
The Act gives people a right to have their personal details hidden or removed from a public register where they can show that the safety or well-being of any person might be affected if the information was to remain on the record. Council must suppress the information unless it is satisfied that the public interest in maintaining public access to the information outweighs any individual interest.
A number of legal remedies are available to people who feel they have had their privacy breached. The aggrieved person may lodge a complaint with the Privacy Commissioner or apply to Council for a review of the conduct which is the subject of the complaint. Legal remedies are available when a public sector agency:
- breaks an information protection principle
- breaks a privacy code of practice: or
- improperly discloses personal information from a public register
There are five possible things an agency can do about a complaint. It can:
- apologise;
- offer a remedy such as compensation;
- promise that the behaviour will not occur again;
- change its operations to make sure that the behaviour will not occur again;
- or do nothing.
If the complainant is not satisfied with the Council’s findings or what Council proposes to do, they can appeal to the Administrative Decisions Tribunal. One of the more significant orders the Administrative Decisions Tribunal can make is awarding damages of up to $40,000 to the person making the complaint, where that person has suffered financial loss or was physically or psychologically injured.
The Act details offences for corruptly dealing with personal information. Harsh penalties (up to a maximum of $11,000 and 2 years in prison) can be given if public sector officials, including former public sector officials, deliberately disclose, or offer to supply personal information outside of their lawful powers. Penalties also apply to any other persons who induce or attempt to induce a public sector official to act in this way (eg bribes and other such conduct).
Further information may be obtained by contacting the Information Officer on (02) 4429 3366.
The information protection principles are summarised as follows:-
Principle 1 - Collection of information for lawful purposes
- personal information must not be collected unless for a lawful purpose which is directly related to function or activity of the agency and collection is reasonably necessary for that purpose
- collection of personal information must not be by any unlawful means
Principle 2 - Collection of information directly from the individual
- personal information must be collected directly from the individual unless that person has authorised collection from someone else
- in the case of a person under 16 years of age, collection may be from a parent or guardian
Principle 3 - Requirements when collecting information
If collected from an individual reasonable steps must be taken to ensure that, before collection or soon after, the individual is aware of:
- the collection of the information
- purpose of collection
- intended recipients of the information
- whether supply of information was required by law or voluntary
- existence of rights of access to and/or correction of information name & address of agency collecting and the agency that is holding the information
Principle 4 - Other requirements relating to collection of personal information
- collection must be relevant, not excessive, accurate & up to date and complete
- collection does not intrude, to an unreasonable extent, on the personal affairs of an individual
Principle 5 - Retention & security
In holding information Council must ensure that:-
- it is not kept for longer than necessary for lawful use
- it is disposed of securely and lawfully
- reasonable steps are taken to protect against loss, unauthorised access, use, modification or disclosure & all other misuse
- reasonable steps are taken to protect against misuse outside Council (consultants, contractors)
Principle 6 - Information about personal information held by Council
Council must take such steps as are reasonable to enable any person to ascertain:
- whether personal information is held by Council, generally
- whether personal information is held about that person and if so, the nature of information, purpose of use & entitlement to access
Principle 7 - Access to personal information held by Council
Council must provide access to information to an individual to whom the information relates
Principle 8 - Alteration of personal information
Personal information of the individual concerned must be amended on request so as to ensure accuracy
Principle 9 - Accuracy of information
Personal information must not be used unless, prior to use, reasonable steps have been taken to ensure its accuracy
Principle 10 - Limits of use of information
Personal information must not be used for any purpose other than the purpose for which it was collected unless:
- the individual consents to the use the other purpose relates to the original purpose for collection
- use of information would prevent or lessen a serious & imminent threat to life or health of the individual.