information access & privacy rights final · seminar – the overlap between information access...

Seminar: The overlap between information

access & privacy rights

15 December 2011

Seminar – The overlap between information access & privacy rights 2

Contents

Seminar objectives ................................................................................................................................................... 3 Commissioner’s overview ........................................................................................................................................ 3 What is personal information? .................................................................................................................................. 4

THE PPIP Act ....................................................................................................................................................... 4 The HRIP Act ........................................................................................................................................................ 4 The GIPA Act ........................................................................................................................................................ 5

Workshop A .............................................................................................................................................................. 6 Responding to health information requests under GIPA and HRIP ......................................................................... 6

Scenario summary ................................................................................................................................................ 6 Scenario material .................................................................................................................................................. 6 Activity .................................................................................................................................................................. 7 Additional information ........................................................................................................................................... 9

Workshop B ............................................................................................................................................................ 11 Requests for access to personal information where Act not specified .................................................................. 11

Scenario summary .............................................................................................................................................. 11 Scenario material ................................................................................................................................................ 11 Activity ................................................................................................................................................................ 12 Additional information ......................................................................................................................................... 13

Workshop C ............................................................................................................................................................ 15 Using Clause 3 from the Table to Section 14 of GIPA as a consideration against disclosure .............................. 15

Scenario summary .............................................................................................................................................. 15 Scenario material ................................................................................................................................................ 15 Activity ................................................................................................................................................................ 15 Additional information ......................................................................................................................................... 20

Appendix 1 – The Information Protection Principles (IPPS) fact sheet.................................................................. 23 Appendix 2 – The Health Privacy Principles (IPPS) fact sheet .............................................................................. 25 Appendix 3 – Applying the public interest test – a snapshot ................................................................................. 27


Seminar objectives At the conclusion of this seminar, participants will be able to:

� appropriately comply with legislation – Government Information (Public Access) Act 2009 (GIPA Act), the Privacy and Personal Information Act 1988 (PPIP Act), and the Health Records and Information Privacy Act 2002 (HRIP Act)

� make decisions that have the best outcome in the public interest – getting access to personal and health information

� know how to make decisions about appropriate release of personal information

� understand what ‘personal information’ is

� know which Act applies to promote public interest for the applicant.

Commissioner’s overview On 1 January 2011, the Office of the Information Commissioner merged with Privacy NSW to become the

Information and Privacy Commission (IPC), marking a new stage in the service we offer the people of NSW. The

creation of the single office gave effect to the New South Wales Law Reform Commission’s recommendation (set

out in its 2009 report No.125) that a single office should administer legislation about privacy and access to

government information.

Through this ‘single door’ model, service to the public and government agencies is at the centre of the IPC’s

operations. One of the key things we will deliver in accordance with the Privacy and Government Information

Legislation Amendment Act 2010 is a common point of contact for the public to bring questions or complaints about

matters to do with privacy or access to government information. We will also be providing coordinated training,

advice and assistance to agencies and individuals about our legislation.

As an organisation the IPC has committed itself to striving to make things easier for the public and agencies. We

aim to be helpful in our approach and to ensure our expert advice or the redress we offer is of the highest quality.

The unified perspective of the IPC will lead to us developing more targeted assistance that gives prominence to the

areas of tension and overlap between privacy and access, reflecting the competing priorities experienced by

agencies as they respond to requests for information, while appropriately respecting people’s personal information.

Our aim is to focus on making our services relevant to the situations agencies face on a daily basis. This will

enhance our ability to make a useful contribution in the public interest.

The IPC model adopted by New South Wales differs from comparable regimes in that it has two independent

champions, both concerned with transparency and holding government accountable. The Privacy Commissioner

and the Information Commissioner will consult and collaborate, but at the end of the day each is responsible for

their own legislation and for championing their specific mandate in the public interest.

Commissioner’s overview, IPC annual report 2010–11, page 4


What is personal information? The Privacy legislation in NSW is:

� Privacy and Personal Information Protection Act 1998 (PPIP Act)

– is about ‘personal information’ and relates to NSW government agencies”

� Health Records and Information Privacy Act 2002 (HRIP Act)

– is about ‘health information’ and related to NSW government agencies and some private sector bodies.

The information needs to be collected and held by a public sector agency, and for health information also some private sector bodies such as health service providers.

THE PPIP Act Section 4 of the PPIP Act defines personal information as “information or an opinion…about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”.

Personal information is: information or an opinion; is about an individual; the individual’s identity needs to be apparent or reasonably ascertainable.

NOTE: The PPIP Act includes a number of exclusions to the definition of personal information. – S 4(3).

Personal information does not include, for example, information:

- about an individual who has been dead for more than 30 years

- in a publicly available publication

- about an individual’s suitability for employment in the public sector

- which is contained in a protected disclosure

- which is not contained in a record.

See Section 4 (3) of the PPIP Act for a full list.

Under Section 4 (4) of the PPIP Act, personal information is ‘held’ by an agency if:

� the agency is in possession or control of the information; or

� an employee of the agency is in possession or control of the information in the course of their employment or engagement; or

� the information is contained in a state record for which the agency is responsible.

Under the PIPA Act (Section 4 (5)), personal information is not considered as collected by a public sector agency if the information is unsolicited.

The HRIP Act “Both “personal information” and “health information” are defined in the HRIP Act. Under Section 5 of the HRIP Act, the definition of personal information is the same as under the PPIPA Act. Many, but not all, of the exclusions are the same. See Section 5 (3) of the HRIP Act and Section 4 (3) of the PPIP Act for comparison.

Under Section 6 (a) of the HRIP Act “health information” is defined as personal information about:

� An individual’s physical or mental health, or disability;

� An individual’s expresses wishes about the provision of health services;

� A health service provided to an individual;


� The term health information also includes other personal information collected to provide a health service (Section 6 (b)).

The HRIP Act applies to “health information” that is collected, held or used by a “health service provider”. The definition of held is consistent with the PPIP Act. Similarly health information is not considered collected by an organisation if receipt of the information is unsolicited.

Health information is not considered ‘collected’ if the organisation does not ask for the information. Once the organisation records the information though, it is considered ‘held’.

“Health service” is broadly defined in the HRIP Act and includes a list of services (including alternative services), whether provided as public or private services under definitions in Section 4. An agency or organisation does not need to provide a health service to collect or hold health information.

The HRIP Act also defines capacity (s7) and authorised representative (s8). The PPIP Act does not. The HRIPA Act additionally defines child and parental responsibility (s8(3)).

The GIPA Act Under Clause 4 of Schedule 4 ‘interpretative provisions’, the GIPA Act defines personal information in a very similar way as the PPIP Act and the HRIP Act.

The exclusions to the definition of personal information are more limited under GIPA and restricted to:

� Information about an individual who has been dead for more than 30 years; and

� Name and non-personal contact details which reveal nothing more than the fact a person was engaged in exercise of public function.

Some general points

� Under the PPIP Act, the HRIP Act and the GIPA Act, ‘personal information’ includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics

� If a person’s health information is included amongst a lot of their personal information, then both the HRIP Act and the PPIP Act may apply

� A person can apply to access their own personal information under the PPIP Act or GIPA. If there is an overriding public interest against disclosure under GIPA, then this would also apply for a request under the PPIP Act

� A person can only apply to amend their personal information under the PPIP Act (or the HRIP Act if health information)

� If an application/request does not specify which legislation the information is being requested under (e.g. GIPA, PPIP, HRIP) an agency should select the most “cost effective, efficient and convenient” for the applicant, not the agency

� The IPC is developing knowledge updates “Processing requests for personal information” and “Processing requests for health information” which will provide agencies with more detailed guidance and comparisons.


Workshop A

Responding to health information requests under GIPA and HRIP

Scenario summary A hospital under a specific Local Health District receives an informal request for personal information, which appears to be primarily health information, and makes a decision under GIPA.

Scenario material You are the information access and privacy officer for LongLife Public Hospital. You receive the following email: ---------------------------------------------------------------------------------------------------------------------------------------------------------

I need information from my hospital stay

Dear hospital administrator I was a patient at LongLife Public Hospital between 1 August 2011 and 11 August 2011 in the general ward. Please send me ASAP to my home address copies of any reports from my meetings with the hospital counsellor during my time in the hospital. I also want copies of all accounts for services I got during my hospital stay. Thank you Josef Augustus Email: [email protected]

--------------------------------------------------------------------------------------------------------------------------------------------------------- Your response to this email is to:

� contact the counsellor at the hospital and determine nature of reports – for assessment for home care services

� decide to handle the request under the GIPA Act as the information requested was a mix of: health information, personal information and other potentially personal information of third parties (counsellor, service providers, others mentioned in the counsellor’s reports)

� search for and get copies of all accounts, and the reports by the counsellor (social worker)

� provide copies as requested free of charge and informally under GIPA

� advise Mr Augustus of his right to make formal access application under GIPA if unhappy with access.


Activity

In small groups review the decision-making process and response of the information access and privacy officer for LongLife Public Hospital by discussing the following questions:

1. Is the information requested ‘health information’?

Under Section 6 of HRIP, health information means:

(a) personal information that is information or an opinion about:

(i) the physical or mental health or a disability (at any time) of an individual, or

(ii) an individual’s express wishes about the future provision of health services to him or her, or

(iii) a health service provided, or to be provided, to an individual, or

(b) other personal information collected to provide, or in providing, a health service, or

(c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or

(d) other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual, or

(e) healthcare identifiers.

Under S 4 definitions “Health Service” includes the following services, whether provided as public or private services:

(a) medical, hospital and nursing services,

(b) dental services,

(c) mental health services,

(d) pharmaceutical services,

(e) ambulance services,

(f) community health services,

(g) health education services,

(h) welfare services necessary to implement any services referred to in paragraphs (a)–(g),

(i) services provided by podiatrists, chiropractors, osteopaths, optometrists, physiotherapists and psychologists in the course of providing health care,

(j) services provided by optical dispensers, dietitians, masseurs, naturopaths, acupuncturists, occupational therapists, speech therapists, audiologists, audiometrists and radiographers in the course of providing health care,

(k) services provided in other alternative health care fields in the course of providing health care,

(l) a service prescribed by the regulations as a health service for the purposes of this Act.


2. Could this request have been handled under HRIP? Why?

3. Which of the Information Protection Principles or Health Privacy Principles might apply in this scenario? (see Appendix 1 & 2)


Additional information

4. What if the request from Mr Augustus contained the following additional information? Would this information be accessible under the HRIP Act or the PPIP Act? Why?

---------------------------------------------------------------------------------------------------------------------------------------------------------

I need information from my hospital stay

Dear hospital administrator I was a patient at LongLife Public Hospital between 1 August 2011 and 11 August 2011 in the general ward. Please send me ASAP to my home address copies of any reports from my meetings with the hospital counsellor during my time in the hospital. I also want copies of all accounts for services I got during my hospital stay.

During my confinement in hospital I had a very unpleasant encounter with another patient in my ward. His name is Ted Hall. One of your nurses, I think, had to fill out a report about what happened and asked me for details. I want this report too. It might have been called an incident report. That’s all I know. Thank you Josef Augustus Email: [email protected]

---------------------------------------------------------------------------------------------------------------------------------------------------------


5. Discuss and summarise how you would approach this revised request?

(See Appendix 3 “Applying the public interest test – a snapshot” for guidance)


Workshop B

Requests for access to personal information where Act not specified

Scenario summary A NSW state high school receives a letter asking for personal information with $30 attached. The letter does not specify under what Act the information is being sought. The letter suggests it is for the person’s own information. The age of the student is not specified.

Scenario material You are the information access and privacy officer with the delegated authority to deal with this request.


Activity In small groups review this request by discussing the following two questions:

1. What would you do first?

2. How would you handle this request under the PPIP Act?


Additional information The request is now from a parent of a current student rather than the person directly.

3. What relevant factors would you now need to find out and consider?


4. You have determined the counselling was for career advice. What would be the key differences if this request was handled under:

The PPIP Act:

The GIPA Act:

(see Appendix 3 “Applying the public interest test – a snapshot” for guidance)

5. Which approach is most cost effective, efficient and beneficial for the applicant?

Student as applicant:

Parent as applicant:


Workshop C

Using Clause 3 from the Table to Section 14 of GIPA as a consideration against disclosure

Scenario summary A formal access application is received by an unsuccessful job applicant seeking access to their own referee reports following finalisation of a recruitment process.

Scenario material You are the Right to Information Officer and Privacy Officer at the Office of the Board for Betterment. You receive the following formal access application from a current employee of your organisation.

You obtain the full recruitment file from your Human Resources Branch for the recent recruitment of the Well-Being Support Officer, Clerk 3.4.

There are two referee reports for Mr Martin Austin:

� Mrs Ayse Lamu, Martin’s current manager at the Office of the Board for Betterment

� Mr Tyson McAuliffe, Martin’s former manager, and the Director at the Committee for Australia for International Standing

Activity

In small groups, review the following application and two referee reports.

1. Discuss whether the requested information is “personal information”. Would it make a difference if this request was received under the PPIP Act rather than the GIPA Act?


2. Would you consult before making a decision?

If so, with whom would you consult? Would you let the applicant know before consulting?

If not, why not?

Additional information

You receive the following objection to the release of information contained in one of the referee reports.


(Appendix 3 – ‘Applying the Public Interest Test – a snapshot’ may assist you with the following questions.)

3. What factors would you take into account and what weight would you give them when assessing the relevance of these concerns to the question of whether there is a public interest consideration against disclosure of the information? (Use the prompts on the next page as part of your considerations)

Use the space below to record key findings as you review the following questions and balance the considerations for and against disclosure of the requested information.

Considerations for disclosure Considerations against disclosure


a) Would release of the information contravene an Information Protection Principle (Clause 3 (b) of the Table to Section 14)? (see Appendix 1)

b) Are there any other relevant factors personal to the application as in Section 55?

c) Are there any other facts which you might know, or need to find out, to determine relevance under Clause 3 of the Table to Section 14?

d) Can you possibly find a way to release the requested information, refusing only what you must, using any of Sections 72 – 78?


Appendix 1 – The Information Protection Principles (IPPS) fact sheet


Appendix 2 – The Health Privacy Principles (IPPS) fact sheet


Appendix 3 – Applying the public interest test – a snapshot

information access & privacy rights final · seminar – the overlap between information access...

Documents