Scrutiny of Acts and Regulations Committee

Privacy Code of Conduct for Members of the Victorian Parliament

Final Report, March 2002

[Back to Table of Contents]

Introduction

Context – Communications Technologies

The Committee’s activities since its May 2001 Report

Submissions and Public Hearings

Revised Code

Recommendations

Review of the Code

Introduction

Privacy is becoming a key issue for citizens’ confidence – in government and in business. The Victorian Parliament has responded to this by enacting the Information Privacy Act 2000 (IPA) and the Health Records Act 2001 (HRA), while the Commonwealth has extended the Privacy Act 1988 to cover large businesses in the private sector nationally. Both the IPA and the HRA confer on the Scrutiny of Acts and Regulations Committee the responsibility to consider future legislative proposals for any adverse effects on personal privacy.[2]

One of the main purposes of the IPA is to "establish a regime for the responsible collection and handling of personal information in the Victorian public sector".[3] The IPA took effect from 1 September 2001. Similarly, the purpose of the HRA is "to promote fair and responsible handling of health information by … protecting the privacy of an individual’s health information that is held in the public and private sectors …".[4]

While Section 9(1) of the IPA expressly exempts Members of the Victorian Parliament (Members), other than in their capacity as Ministers or Parliamentary Secretaries, the HRA does not have an equivalent exemption.

During the passage of the IPA, there was bipartisan agreement that MPs should be covered by a voluntary code of conduct, dealing with the same range of issues as the Act. The Minister gave a reference to this Committee to draft a Code.[5]

In May, the Committee published its first Report on an Interim Privacy Code of Conduct for Members of the Victorian Parliament. All Members were provided with a copy.

The May Report explained the way in which personal information is typically collected, held and used by MPs as they perform their various roles and functions, and discussed the implications of each of the Principles in the Act if it were applied unchanged to MPs.

Potential complexities in applying the Principles, unaltered, in a number of areas were identified and discussed. These included issues of consent for collection of sensitive information; political communication; disclosure under parliamentary privilege; protection of sources and access by individuals to information held about them.

In the time available to the Committee in dealing with this reference, some changes were considered desirable to accommodate the unique circumstances and role of MPs, and the Principles were amended accordingly. The Committee recommended the resulting model Code[6] as a basis for adoption or further adaptation as an interim Privacy Code for Victorian MPs.

Context – Communications Technologies

The Committee’s terms of reference for this Inquiry include having regard to ‘current and emerging communications technologies’. The Victorian Parliament is already advanced in its use of information and communications technology. The provision of a wireless network to give Members flexible access to information within the parliamentary precinct; the widespread use of mobile telephones and the receipt of electoral roll information from the Victorian Electoral Commission, as well as electoral databases from political parties, are key aspects of the way in which technology is assisting Members in their work.

The greater the use of advanced technology in the community, the more information will be collected, stored, used and disclosed in electronic (digital) form. This brings with it a risk of unauthorised access use or modification. Whether that risk is any greater than the risk of unauthorised access to paper records is arguable. With appropriate security (as required by the proposed Code), the risk may actually be reduced by computerisation, although new risks, including of hacking and changes to data which go unnoticed, may arise.

What is clear is that the public remain very concerned about the risks of misuse of computerised information, and are particularly nervous about on-line transactions including the potential abuse of e-mail.[7]

As is the case for anyone using communications technologies for professional or business purposes, Members of Parliament need to pay attention to this concern. There is however an additional factor – Members have access to the electoral roll information in a form not available to others.[8]

If Members want to take full advantage of new technology, it seems clear that they need to offer individuals the assurance that they are subject to privacy protection standards. This is why the Committee has been given this reference, and the reason why Members need to acknowledge their responsibilities and act on them.

This issue will increasingly extend to developments in electronic democracy, which offer exciting potential for increased understanding of, and participation in, the political process. Whether in electronic voting;[9] acceptance of submissions over the Internet; ‘virtual’ proceedings or e-mail petitions, privacy and security will be major issues and potential ‘blockers’ if not dealt with in a way that satisfies public concerns.

The Committee’s activities since its May 2001 Report

Since issuing its first report, containing a draft Code for consultation, the Committee has sought further input to its considerations in a number of ways. Information privacy consultants were engaged to assist the Committee with the second stage of the reference.

The Information Privacy Subcommittee called for public submissions on the draft Code, and invited comments from all Members. A special issue of the Committee’s newsletter, which is regularly distributed to all Members, was devoted to the report.

Public hearings were held on 30 August 2001 (see below).

The Subcommittee produced a further document containing a set of Frequently Asked Questions (FAQs) (Appendix 2) and a model Compliance checklist. These documents were distributed to all Members. The FAQs attempted to answer some of the questions that had been asked during the course of the consultation period. The intention of the checklist was to illustrate the practical implications of adopting a Code – explaining what action Members and their staff would have to undertake to ensure compliance.

The Subcommittee Chair briefed the Victorian Parliamentary Labor Party on 30 October 2001, and the consultants briefed the Victorian Parliamentary Liberal Party on 16 October 2001. Discussions were also held with the Victorian Parliamentary National Party, and with Independent Members.

The political party organizations outside Parliament provided input through their parliamentary parties and committee members.

Useful input was also contributed by Ms Bronwen Fitzgerald, a Parliamentary Intern, who carried out interviews with a number of MPs and their staff as part of a project on the Privacy Code.[10]

The Subcommittee invited all Members to a final consultation seminar on 8 November 2001, to discuss the issues raised during this phase of the inquiry and possible changes to the draft Code.

Submissions and Public Hearings

Written submissions were received from the following:

The Hon. Ron Bowden MLC;
The Hon. Bill Baxter MLC;
Mr Russell Savage MLA;
Mr Michael Leighton MLA;
The Parliamentary National Party;
The Presiding Officers of the Victorian Parliament (joint submission);
Communications Law Centre, Melbourne.

 Mr Bowden also gave oral evidence at the public hearing on 30 August 2001, as did:

The Hon. Robert Maclellan MLA;
Mr Colin Barry, the Victorian Electoral Commissioner;
Ms Beth Wilson, the Victorian Health Services Commissioner and Ms Anne Mullins, Health Records Act Education Officer, and
Mr Paul Chadwick, the Victorian Privacy Commissioner.

Because many views have been put to the Committee informally, the summary of submissions that follows does not specifically attribute views to particular individuals or organizations except where this is appropriate. The summary is organized around a number of topics.

Need for a Code

Opinion is divided amongst Members as to the need for a Code. Some can see no clear evidence either of demand for a Code or of abuses or problems in the way Members operate that would justify the imposition of standards.[11] The Committee notes that there is no specific evidence of public concern about how MPs handle personal information. Furthermore, no evidence was submitted to the Committee of specific complaints about breaches of privacy. The Committee also noted that the Privacy, Health Services and Electoral Commissioners; the Communications Law Centre and Mr Russell Savage MLA all expressed a view that there could be public concern about some of the information held by Members and its uses.

Scope of the Code

Some submissions suggested that the scope of the Code is too wide:

Firstly, there is a view that the Code should only apply to the information which Members hold about constituents. This would leave information they hold about other people outside the scope of the Code.

It is however difficult to maintain this distinction in practice. People move; electoral boundaries change; Members retire, resign, lose their seats, move from one electorate to the next or from one House to the other. Each of these events could change the status of the personal information a Member holds about an individual and therefore the way it is handled. Moreover, delineating those who are encompassed by the Code immediately excludes those who are not and increases the likelihood that Members will be drawn into disputes and complaints about who is ‘in’ and who is ‘out’.

At the same time, no such line of demarcation will exist if the information is about the person’s health. Members must handle personal health information in accordance with the Health Records Act, regardless of the relationship of the individual to the Member. Similarly, all personal information handled by a Member in his or her capacity as a Minister or Parliamentary Secretary must be protected to the standards set out in the Information Privacy Act. Having a Code that covers only constituents may increase the risk for all Members that, at some stage, they will inadvertently handle information about an individual in a way that does not align with the requirements of privacy legislation.

The Committee concludes that restricting the scope of the Code to constituents only would be both unworkable and undesirable because it would be administratively complex and would expose Members to a greater risk of receiving complaints under the Code as well as under the Health Records Act and Information Privacy Act

Secondly, some Members suggested that the Code should apply only to electronic records, and/or to formal databases (ie: excluding emails or electronic ‘notes’). Many privacy laws started life as data protection laws applying wholly or mainly to computerized records.[12] This was based on a perception that the real risk to individuals arose from the power of computers to assemble and manipulate information, and to give much enhanced access to many more users. The focus of such laws is, and remains, on systematic databases with shared access, rather than on informal paper records.

It is clearly in the context of electronic transactions and computerised information that many privacy concerns arise most acutely. However, information that was once kept only on paper, or not recorded at all, is increasingly held in electronic form, including as e-mail, in personal organizers and on voice-mail or messagebanks.

Also, once it is accepted that standards should apply, and that individuals should have rights in relation to personal information, it is difficult to justify restricting the scope of those standards and rights to electronic information. An individual can be just as disadvantaged by inaccurate paper records, or by the unauthorised release of a confidential letter, as by the equivalent lapses with computerised records. It is for this reason that most privacy laws, including the Victorian Information Privacy Act and Health Records Act, have abandoned the distinction and apply equally to paper and electronic information.

It is important to recognize however that the definition of personal information used in the Information Privacy Act, and in the proposed Code, refers only to recorded information (in any form) so that it does not seek to cover information held only in someone’s head, or restrict social communications.

Another issue was whether the Code would apply to political parties. This was raised in the context of the recent amendments to the Privacy Act 1988 (Cwth).[13] The Committee notes that with government and opposition support, elected representatives and registered political parties were expressly exempted from the new Commonwealth private sector privacy regime commencing in December 2001.[14] It is beyond the scope of the Committee’s terms of reference to canvass the potential constitutional issues that may arise with respect to the application of the Commonwealth exemption to other jurisdictions.

The proposed Code does not apply to the collection, use and disclosure of information by political parties. Electoral roll information supplied by political parties to Members is covered. As explained it the first report, it would be impracticable for Members to make a distinction between records held for their constituency or parliamentary work and those held for the purposes of campaigning for re-election. This view was expressly supported by the Electoral Commissioner, and was not challenged in any other submission.

Finally, some Members are clearly concerned about differentiating their activities that would be subject to this Code from those that may be subject to other privacy rules.[15] These include the Health Records Act (see below) but also the Information Privacy Act (if they are Ministers or Parliamentary Secretaries), and the Privacy Act 1988 (Cwth) – if they hold positions in organizations covered by that Act. The Victorian legislation was designed to be as consistent as possible with the federal legislation. It is based on the National Privacy Principles on which the Commonwealth legislation is also based, although there are some differences. To the extent that the Code reflects the standards in the legislation, the practical difficulties arising from the multiple jurisdictions are minimised.

The relationship of the Code to Parliamentary Privilege

Several submissions referred to Parliamentary Privilege and to a perceived conflict between privilege and the proposed Code.

Parliamentary privilege encompasses both immunities and powers. The Privacy Code should not interfere with the longstanding conventions that guide and protect the operations of parliamentary democracy, and in particular, does not interfere in any way with the immunity relating to disclosure of personal information in the course of Parliamentary proceedings. This is an absolute privilege, subject only to oversight by the Privileges Committees, and in both Houses to the Right of Reply granted by Sessional Orders.[16]

Parliamentary privilege does not extend to everything an MP does or says – particularly outside the House and in relation to constituency matters other than in the course of speeches, debates and other proceedings.

The Legislative Council and the Legislative Assembly each have the power to censure and discipline its Members for breaches of accepted standards, with sanctions ranging from reprimand, admonition, imposition of fines, suspension and removal from office.

Petitions

The Committee’s first report discussed the issues surrounding the tabling of petitions. The Privacy Commissioner supported the suggestion in the first report that policy of not routinely making public the names and addresses of all signatories to a petition might better meet individuals’ expectations.[17] However, the Presiding Officers took the view that the present practice should remain unchanged, on the basis that petitions are public documents available for inspection. The Committee notes that legitimate petitions play a very important role in informing Members about community concerns and consequently supports the views of the Presiding Officers at this stage in the development of the Code.

Access by individuals to personal information held by MPs about them

Several submissions expressed concern about having to give individuals access to any personal information that Members held about them.

A right to seek access is a fundamental component of any privacy regime, but so too is the acceptance of other public and private interests that may compete with that right and require it to be modified. The draft Code gives Members the absolute discretion to withhold personal information, but the wording may not have made this clear. The Committee accepts the need for Members to have an discretion to withhold, and to make this clear in the Code.

The Health Records Act

Victorian MPs are subject to the Health Records Act 2001, which is expected to take effect from 1 March 2002. The definition of health information is very broad, and most Members will hold at least some records that include health information.

In response to submissions and discussion at the public hearings, the Subcommittee considered incorporating detailed guidance on Health Records Act compliance in the various Clauses of the Code. But because that Act is quite prescriptive, with lengthy principles, definitions and exemptions, it was felt that this approach would have resulted in an unbalanced Code – the Health elements sitting uneasily alongside the concise general principles applying to all other personal information. For this reason, the final Code retains a statement reminding Members that they are subject to the Health Records Act. The Health Services Commissioner is expected to issue guidance on compliance with the Health Records Act with which Members and their staff will need to familiarise themselves in due course.

Records of former MPs

This issue was raised in the first report, and the suggestion that a policy be developed was supported in the submission from the Presiding Officers.

Implementation and enforcement

One of the main issues raised during the consultation was the method of implementing and enforcing a Privacy Code.

Enforcement of standards is understandably a significant issue for MPs. Parliaments embody sovereign power, Members are directly elected by the people, and are accountable on a daily basis to the electorate; political parties, the media and community groups. Members in most Parliaments have been particularly concerned to avoid putting in place opportunities for deliberate obstruction of legitimate parliamentary activities, and about the potential abuse that could constrain the traditional role of Members.[18]

However, in recent years many Parliaments have adopted a range of standards by which Members agree to be bound, with varying status and levels of enforcement. As explained in the Committee’s first Report, Members of the Victorian Parliament are already subject to rules relating to the Register of Interests and to Health Records (both by law); to the right of reply (by Sessional Orders) and to E-mail use and Equal Opportunity and Harassment (informal rules). That the principle of sovereignty and separation of powers is not necessarily inconsistent with self imposed standards is shown not only by these existing regimes, but also by the fact that the UK and Irish MPs are fully subject to their privacy laws.

Other overseas mechanisms include an Ethics Committee in South Africa, a Parliamentary Commissioner for Standards (and a Committee) in the UK, a role for the President of the Bundestag in Germany, and an Integrity Commissioner for the Ontario Legislative Assembly. Ireland has a Public Offices Commission which can accept complaints direct from other Members, or from other persons on referral from the Clerk of the House. In the US, both Houses of Congress have Ethics Committees monitoring the Codes of Official Conduct. The Privacy Commissioner, in his submission, suggested that the Victorian Parliament might consider a wider ranging ‘Ombudsman’.

The first Report canvassed a range of options for complaint handling, determination of breaches and sanctions. The Presiding Officers, in their joint submission, take the view that they, rather than a committee, should handle any allegations of breaches, and that they should have discretion as to the sanctions that are appropriate in the circumstances.

The Presiding Officers’ suggestion would seem to accord most closely with Members’ views.

It has subsequently been suggested that a one or more retired senior parliamentarians could play some role in advising Members and mediating disputes.

Revised Code

Several changes have been made to the draft Code since the May version.

Two key definitions have been included so that the Code stands alone, and so that references to other documents are not required.

Two principles (unique identifiers and anonymity) have been omitted as it seems unlikely that they would be relevant to MPs activities. A further principle (Trans-border data flows) is also omitted because MPs rarely disclose personal information outside Victoria.

Other clauses have been amended to more closely reflect current practices of Members.

Recommendations

The Committee recommends that the Privacy Code of Practice in Appendix 1 of this report be adopted, by resolution of each House, as the standard applicable to the handling of personal information by Victorian MPs including their staff.

The Committee takes the view that in light of differences of opinion over the need for a Code, it is preferable to leave the choice of whether to adopt to each Member. Public opinion will ultimately determine whether it is acceptable, and sustainable, for a Member to choose not to formally adopt the Code.

The Committee recommends that the Code be made available for MPs to adopt on a voluntary basis.

In relation to enforcement, there seems little point in putting a Code in place if those who are bound by it cannot be held to account for meeting its standards. On the other hand, it is clear that Members do not wish an enforcement regime to be too rigid or prescriptive or to specify sanctions in advance.

The Committee recommends that Members adopting the Code be accountable for compliance to the relevant Presiding Officer, whose decision in relation to complaints and sanctions should be final. One outcome could be referral of the complaint to the Privileges Committee for further consideration and action.

Consideration should be given to appointing one or more respected former Members as ‘on-call’ advisers on privacy (and perhaps other ethical issues). The same person(s) could act as mediator in any privacy complaint cases.

The Committee recommends that consideration be given to appointing one or more former MPs to provide privacy advice and assistance with mediation as, or if, required by individual Members.

To assist public awareness and understanding of the Code, and to differentiate Members who have adopted it, they should be entitled to promote their intended compliance.

The Committee recommends that those Members adopting the Code be entitled to communicate their intended compliance with the Code.

Members should be assisted in their compliance with the Code by the Joint Services Department. The Frequently Asked Questions (FAQs) and compliance checklist (Appendices 2 and 3) could be revised and re-issued by the Department, which should also provide Members with standard ‘template’ privacy notices and statements for use in their offices, in correspondence, and on their web sites. The IT unit should continue to provide the security infrastructure and training in its use, and to ensure that security measures are continually upgraded to respond to new threats. The Department should also organize general training for staff, and this could be made available to MPs as well.

The Committee recommends that the Parliament provide support to Members and their staff in the form of guidance, template wording for notices, IT infrastructure and training. The Parliament should develop a policy on relevant records detention and deletion for Members who retire from either House.

Review of the Code

It would be sensible to review the operation of the Code after a period of time. Such a review would have several objectives. It would provide a public report on the extent to which the Code had been implemented, and on the number and type of complaints about breaches (if any). It would allow Members and their staff to comment on how the Code had affected their activities (if at all), and any difficulties that may have arisen. It could also take into account experience of the operation of the Information Privacy Act, the Health Records Act and privacy laws in other jurisdictions to ensure that the Code continued to reflect best practice.

The Committee recommends that there be a formal review of the Code after three years of operation.

Footnotes

[1]

From the commencement of the Health Records Act 2000.

[2]

Information Privacy Act 2000, s.74; Health Records Act 2001, s.115.

[3]

Information Privacy Act 2000, s.1(a).

[4]

Health Records Act 2001, s.1(a).

[5]

See Terms of Reference.

[6]

Appendix 1 to the Report.

[7]

See July 2001 research findings by Roy Morgan research for the Office of the Federal Privacy Commissioner, at www.privacy.gov.au.

[8]

Transcript of Evidence, 30 August 2001, Victorian Privacy Commissioner, pp 22 and 26, and Victorian Electoral Commissioner, pp 17-20.

[9]

The ACT recently experimented with On-line voting in the October 2001 Territory elections.

[10]

Privacy for the Public: A report into a privacy code for Members of Victorian Parliament for Carlo Carli MLA, by Bronwen Fitzgerald, Parliamentary Intern, November 2001.

[11]

See also Bronwen Fitzgerald Report (see footnote 7), paras 8.1-8.2.

[12]

Eg: the UK Data Protection Act 1984 and similar European laws. The previous Victorian government’s draft legislation was called a Data Protection Bill, although the definition of data always extended to paper records.

[13]

Amendments effected by the Privacy Amendment (Private Sector) Act 2000 (Cwth).

[14]

Privacy Act 1988 (Cwth) s.7C and definition of ‘organisation’.

[15]

Bronwen Fitzgerald Report (see footnote 10) paragraphs 5.2 and 8.4.

[16]

Legislative Assembly - adopted 4 November 1999; Legislative Council, 3 November 1999.

[17]

Transcript of Evidence, 30 August 2001, Victorian Privacy Commissioner, pp. 22 and 29.

[18]

See Gerard Carney – Members of Parliament: law and ethics, Prospect Media, 200, Chapter 12.

Scrutiny of Acts and Regulations Committee
© Parliament of Victoria