Address by the Information Commissioner
At a recent seminar, the NSW Privacy Commissioner, Chris Puplick, told the audience that it was impossible for government agencies in NSW to comply at the same time with the FOI Act, the Privacy Act and the Archives Act in that State. This problem arises because of the inherent contradiction between access and privacy on the one hand, and between legislation governing the creation and maintenance of government records and access and privacy rights on the other.
I do not share the concerns of my colleague in NSW about the degree of fit, or should that be misfit, between the Freedom of Information Act 1992, the State Records Act 2000 and privacy, in spite of the fact that privacy legislation does not exist in Western Australia.
FOI is about providing access to government records and balancing competing interests in the exercise of that right. Among other things, the State Records Act 2000 regulates the keeping of those records. Privacy is concerned with a particular kind of record, namely those containing personal information and, through established and well-recognised Privacy Principles, it regulates the information management practices of agencies to ensure that individuals have the right to:
· Know what records about them are collected, maintained, used and passed on by agencies;
· Have access to personal information held by agencies and to amend or correct that information; and
· Prevent information obtained by agencies for a specific purpose being disclosed for another purpose without their knowledge.
If one considers those parts of the State Records Act 2000 dealing with access, namely ss.44, 46, 49 and 50, it is tempting to conclude that the Freedom of Information Act 1992 is the more important of the two Acts in WA, perhaps even more so since the FOI Act is the only source of privacy rights in this State. My own view is that the fundamental principles of FOI, privacy and archives legislation are equally important. However, I recognise that there are areas of commonality and this suggests to me that some rationalization may be necessary, if only to avoid the compliance problems highlighted in NSW.
Let me explain what I mean. Three examples immediately come to mind. Firstly, under FOI, agencies are required to publish information about the general kinds of records held by them. This publication requirement is also reflected in the Openness Principle under privacy, which requires agencies to be open about their practices and policies with respect to personal data and to reveal the existence and nature of records containing personal data, the main purpose of its use, as well as the identity and business address of the controller of that information.
Even if it is not mandated under legislation, most agencies will comply with that principle by identifying and describing such records and making that information publicly available. Retention and disposal schedules prepared for the purpose of an agency’s recordkeeping plan also contain similar kinds of information.
Secondly, the State Records Act 2000 requires agencies to develop and implement Recordkeeping Plans, which deal with, among other things, the security and disposal of records. Privacy requirements relating to the security of records containing personal information are covered in the Security Principle, which requires agencies to ensure that personal data is protected by reasonable safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of that information.
Thirdly, the access and correction rights and procedures in the FOI Act reflect the Individual Participation Principle under privacy. Of course in other areas, privacy, FOI and archives legislation stand alone and there is no duplication or overlap between them.
I suspect that part of the reason for the problem identified by the NSW Privacy Commissioner may be that in NSW at least, the responsibility for privacy, FOI and archives is vested in different bodies, each having its own views and perspectives of the relevant importance of its own area.
However, we do not have that problem in WA because of the model used to establish a State Records Commission. By now you will all know that the State Records Commission consists of 4 members, the Auditor General, the State Ombudsman, the Information Commissioner, and a record keeping professional, in this case, Kandy Jane Henderson. The Commission reports to Parliament and, with some limits, is not subject to direction by the Minister. The Commissioners bring a combined mixture of public administration expertise, FOI and privacy knowledge, and recordkeeping professionalism to the Commission.
Using the terminology applied by one of your own, it is a third generation functional model consisting of a single body, the Commission, with responsibility for certain outcomes, namely, the setting of recordkeeping standards, monitoring compliance and inquiring into breaches of the legislation. Within that model, the role of the Commission is to provide broad and strategic guidance to agencies through the standards, which it sets.
In setting standards and principles for agencies to follow in developing recordkeeping plans, the Commission functions at a strategic level. It does not, and should not prescribe the detailed contents of those plans. Of course, some agencies are looking for exactly that – they want a simple checklist or template so they can fill in the blank spaces and claim the result as their own recordkeeping plan. Whilst that simplistic approach is attractive, it creates its own set of problems. One size simply does not fit all.
The Commission has published the first set of Recordkeeping Standards and principles and more will follow. Recently, in a planning day, we identified some of the challenges facing the Commission and agencies in the future, and reviewed our strategies for dealing with those challenges. I think it would be fair to say that the Commission sees its role as the leader of change in Western Australia. Our aim is to build upon the goodwill and commitment, which exists among the recordkeeping professionals, and to facilitate ‘best practice’ by government organizations in Western Australia and enhance the accessibility of records.
These are not merely lofty ideals. They are part of the legislative mandate of the Commission contained in s.60(2) of the State Records Act 2000. However, there is always a ‘down side’ and in this case the Commission recognises that limited resources are available to the State Records Office and to agencies to facilitate compliance.
It would be regrettable if government organizations merely complied with the requirement to produce recordkeeping plans and to review those plans periodically, and did nothing more than that. After all, the purpose of a recordkeeping plan is not to produce a plan, but better recordkeeping practices by government organizations. This is where the Commission’s function of monitoring compliance with the legislation will become important.
I am speaking now as Information Commissioner, not as a representative of the State Records Commission and my view are not necessarily those of my fellow Commissioners. For me, best practice and access are concepts that apply to the totality of information practices in government organizations, not merely to those related to the State Records Act 2000. I am mindful of related obligations on agencies under the FOI Act, and under privacy legislation, which can be expected in the near future. Therefore, I would like to lay down this challenge to those of you who work in State and local government agencies.
If you are involved in the preparation of recordkeeping plans, as some of you will be, you need to think strategically and beyond the familiar practices of your profession. The blueprint provided by the State Records Commission does not necessarily limit the content of those recordkeeping plans. If you also include the information prescribed in s.94 of the FOI Act relating to Information Statements, you will in effect ‘kill two birds with one stone’.
When you are listing and describing record series for the purpose of a Retention and Disposal Schedule under the State Records Act, give some thought to classifying those same records for the purpose of access under the FOI Act. For example, are the records sensitive or routine? Is an FOI application needed to access them or can access be provided upon request? If they are sensitive, why are they sensitive and how long should they remain so? Which ones contain personal information? What kind of personal information do they contain? Can they be de-personalised? Why does the agency require this kind of information? Can the recordkeeping plan and the R&D Schedule be posted on the agency’s website, once it is approved so that the public has access to the kind of information it needs as a prerequisite to using the FOI Act?
I am constantly badgering my fellow Commissioners with questions like these. I want to see the State Records Commission and the State Records Office break new grounds in accessibility in this State. Even a little step, such as including minutes of our meetings on the website, demonstrates that we are leading change in transparency and accountability in the WA public sector. I challenge you and your agencies to follow suit.