Personal information Protection Act 2004 (Tas)

The Personal Information Protection Act (the PIP Act) is subordinate to other legislation where its provisions are inconsistent with other legislation. This means that the Right to Information Act will take precedence over the PIP Act if there is an inconsistency in the provisions.

The PIP Act allows a person to apply for and have access to personal information held by a personal information custodian (Schedule 1 – Clause 6). There are three points to address in terms of this right to apply for access. Firstly, an application isn’t guaranteed to result in access. Access MAY be granted, but it is not a MUST. Secondly, access to personal information is not access to the document that contains the personal information. Personal information, when provided under a request through the PIP Act, will usually be provided in the form of an extract of the document containing the information. This personal information can be both or either information or an opinion about a person. Furthermore, the person’s identity must be apparent or reasonably ascertainable (Guideline 1/2013). Thirdly, ‘personal information custodian’ (PIC) is a very broad term, and can refer to:

• A public authority
• Any body, organisation or person who has entered into a personal information contract relating to personal information
• A prescribed body

In relation to the second dot point, a personal information contract can be between a government body/public authority, such as the Hobart City Council or DPIPWE, and a private company. For example, the HCC might enter into a contract with a private company to collect and store information on dog owners. This would mean that the private company would be a personal information custodian for the purposes of a person who wants to access information stored about them and their ownership of dogs.

A request to a PIC to access personal information must be in writing. You may also request that information held is amended if you find it is incorrect (s17A). If a personal information custodian refuses your request to see your personal information or does not respond within 20 working days then on receipt of a second written request they must treat your request as an application for assessed disclosure under the Right to Information Act 2009 and the timelines and review rights under that Act apply. At the end of the process, if there has been no grant of access, an applicant can make a complaint to the Ombudsman, be it either under section 44 of the Right to Information Act 2009 or the PIP Act section 18.

The PIP Act has two sets of personal information: personal information collected before the commencement of the Act, and personal information collected after. Personal information collected after the commencement of the Act is to be treated in accordance with all the principles set out in Schedule 1 of the Act (s6). The principles exclusive to information collected after commencement are:

• A personal information custodian must not collect personal information unless the information is necessary for one or more of its functions or activities
• A personal information custodian must not assign a unique identifier to an individual unless it is necessary for it to carry out any of its functions efficiently.
• Anonymity: Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with a personal information custodian.
• A personal information custodian must not collect sensitive information about an individual unless the individual has consented, or the collection is required or permitted by law; or the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual.

Information collected before the commencement of the Act is to be governed in accordance with principles 2, 3, 4, 5, 6 and 9 only.

There is a requirement in the Act that all personal information custodians comply with these Personal information protection principles (ss16 and 17). Complaints are managed by the Ombudsman.

There are exemptions to the provisions of the Act. These are:

• Courts and tribunals;
• Public information;
• Law enforcement information where non-compliance is reasonably necessary for law enforcement functions and activities;
• Employee information;
• Unsolicited information – information given without being sought to a public information custodian; and
• The use of information for basic purposes, such as storage, communication with a public sector body, and the information is basic personal information (such as name and age).