Thursday, 25 May 2017

Don't buy a data breach - Privacy and data security when procuring goods and services

At our recent monthly seminar 'Information Sharing and Data Protection - Know your Value', we discussed the importance of monitoring suppliers to mitigate privacy and data breaches.  This data security theme was continued during the Commissioner for Privacy and Data Protection's recent Privacy Awareness Week.

Remember these key messages and tips to help minimise the risk of your procurement experiencing a data or privacy breach:

Value your Data

From the outset, think about the value of the data that your supplier will collect or have access to during the arrangement.  This will enable you to determine the appropriate information handling and privacy requirements you'll need.

Choose the Right Supplier 

Ensure that your information handling and privacy requirements are part of your sourcing plan and clearly set out in your market facing documents.  Award a contract to a supplier who can demonstrate a good track record of understanding and implementing privacy and data security.

One size does not fit all  

Your risk management strategy needs to be proportionate and tailored to the size and activity of your procurement.  Data heavy supply arrangements may need to consider additional protections, including how information will be managed when a supplier transitions out.

Monitor your supplier's performance against the contract 

The words in the agreement are important, but ongoing contract management is necessary for early detection of possible data and privacy breaches.

If you'd like assistance on managing your suppliers to meet your information handling obligations, please contact:

Rebecca Radford
9947 1403

James Stephens

Snezana Stojanoska
9947 1412

Tuesday, 14 March 2017

Victorian Commissioner for Privacy and Data Protection Report - Learnings and Hurdles

A recent Commissioner for Privacy and Data Protection (CPDP) report on information governance at the Department of Health and Human Services (DHHS) provides valuable guidance to assist government agencies to comply with the Privacy and Data Protection Act 2014 (Act) and the Victorian Protective Data Security Standards, in particular.  Below we look at key learnings that other agencies can take on board as part of their own compliance preparation.

A high priority: manage your contracted service providers

Department and agency heads will be responsible for ensuring that both their own organisations and their Contracted Service Providers (CSP) comply with the Standards.  Contract terms making CSPs liable for compliance with the Information Privacy Principles won't remove the risk of privacy and data security incidents occurring.

The finding in the Report showed that while agencies must ensure their agreements with CSPs are consistent and reflect up to date information governance requirements, there needs to be appropriate and effective resourcing, due diligence and monitoring of CSP compliance too.  Without appropriate monitoring, there is a greater risk of incidents which could mean that the agency may not have met its obligations under the Act.

Achieving compliance with the Victorian Protective Data Security Standards

The Report recognises that not all Victorian Public Sector organisations may be fully compliant with the Standards by July 2018.  Showing that you are on track is crucial though, and submitting a security assessment and plan to the CPDP is mandatory.  Further, the CPDP recognises that some agencies may already comply with much of the Standards by having implemented the Information Security Management Framework (2009) and through annual reporting to the Victorian Auditor-General's Office.  The steps required to achieve compliance will not necessarily be the same for all agencies or wholly new or particularly onerous.

Other factors to consider in your compliance framework

  • Are your information policies and procedures consistent and do they reference each other?  Are your staff aware of where to find them, and are they regularly checked and updated?
  • Does your organisation have up to date privacy and data security incident management procedures? Does your organisation need defined criteria of when to notify others and escalate incidents?
  • Have you developed scenario-based privacy and data-security training for CSPs and your frontline staff based on their day-to-day roles?
  • Do you need an information asset register?  This can identify the information you handle, its value, risks and regulatory requirements, and how to use and manage it.

If you have any queries regarding privacy law in Victoria, please call:

Rebecca Radford
Managing Principal Solicitor
9947 1403

Molina Asthana
Principal Solicitor
9947 1420

James Stephens
Principal Solicitor
9947 1422

Wednesday, 22 February 2017

No longer in the shadowlands: regulation of unregistered health service providers

As of 1 February 2017, Victoria has a new health complaints system with the commencement of the Health Complaints Act 2016 (Act) and the appointment of the inaugural Victorian Health Complaints Commissioner, Karen Cusack. This new role replaces the former Health Services Commissioner.

It has been almost 30 years since the Victorian health complaints scheme was designed. In this time, the number and diversity of health services available have increased significantly.

Media reports over a number of years have highlighted the stories of vulnerable and unwell people, who have obtained health services from unregistered health service providers based on what they later realised were false or misleading claims about the efficacy of the treatment. In a number of cases, the treatment received has been experimental, costly, and provided to the potential detriment of the patient’s health in cases where other treatment options have been ignored or discouraged.

Previously, there was only limited recourse under consumer protection and trade practices legislation in situations where a person complained about an unregistered health service provider.

The new Act seeks to address the previous ‘shadowlands’ of unregistered health providers to better protect members of the public from receiving unsafe or non-efficacious health services.

Many providers of, what are often described as, 'alternative' or 'non-mainstream' health services are not subject to professional registration and, therefore, lie beyond the regulation of the 14 health profession boards and the Australian Health Practitioner Regulation Agency (AHPRA). The Health Practitioner Regulation National Law (Victoria) Act 2009 is also not directed at preventing a registered health practitioner from providing unsafe, non-efficacious or unethical health services where such treatment is outside the scope of their professional registration.

The Act applies to all providers of a 'health service'. This term is defined broadly in the Act and focuses on the purpose of the activity. For example, any activity intended or claimed to 'assess, predict, maintain or improve [a] person's physical, mental or psychological health or status', as well as therapeutic counselling services. Importantly, the Act introduces a Code of Conduct that sets standards for the provision of safe and ethical health services.

The Act seeks to promote the efficient and effective management of complaints with a focus on conciliation. However, where a complaint cannot be resolved, the Act provides the Commissioner with significant powers to investigate complaints and take action against unsafe or unethical health service providers.

Powers of the Health Complaints Commissioner

The Health Complaints Commissioner has power under the Act to:
  • investigate complaints about the provision of 'health services', including by:
    • unregistered practitioners
    • registered practitioners providing health services outside the scope of their professional registration
    • formerly registered practitioners
  • conduct own motion investigations where no specific complaint has been received
  • accept complaints from affected individuals and third parties, including carers, health practitioners or other healthcare providers
  • make prohibition orders to prevent unsafe or unethical services or products 
  • enter and search premises, order the production of documents, and call persons to give evidence at an investigation hearing before the Commissioner 
  • set penalties for failing to comply with investigation hearing notices and interim prohibition orders of the Commissioner (including up to two years' imprisonment)
  • ban unregulated healthcare providers from providing health services in Victoria where they are prohibited from practising in other states
  • publish public health warnings and publicly name providers
The new Health Complaints Act is a welcome step to fill the regulatory gap that existed between unregistered healthcare providers and registered health practitioners to ensure better protection for the health and wellbeing of the public.

Health Complaints Commissioner
Code of conduct

Joanne Kummrow
Special Counsel
03 8684 0462

Andrew Field
Managing Principal Solicitor
03 8684 0889

Michele Rowland
Principal Solicitor
03 8684 0413

This blog was prepared with the assistance of Mary Quinn, Solicitor, and Milli Allan, Trainee Lawyer.

Friday, 17 February 2017

Enterprise bargaining - proposed changes to the Referral Act

Last week the Victorian Government introduced into Parliament proposed legislation to expand the referral of industrial relations matters to the Commonwealth under the Fair Work (Commonwealth Powers) Act 2009 (the Referral Act).

The Fair Work (Commonwealth Powers) Amendment Bill 2017 (the Bill) proposes to enable public sector employers and employees (excluding law enforcement officers) to bargain over, and reach agreement on, matters relating to the number, identity or appointment of employees.


Australia's federal workplace relations laws rely primarily on the Commonwealth's power to legislate with respect to constitutional corporations.

Under the Referral Act, the Victorian Government referred certain industrial relations matters to the Commonwealth to bring other Victorians into the federal industrial relations system. However, the Government excluded from the Referral Act certain matters relating to public sector employees.

This exclusion was based on an understanding of the implied limits on Commonwealth legislative power. In Re Australian Education Union, the High Court held that certain matters relating to State employees were critical to a State's capacity to function as a government and therefore beyond the Commonwealth's legislative power. These matters included a State's right to determine:

  • the number and identity of its employees;
  • the length of employees' employment; and
  • the number and identity of those whom it wishes to dismiss on redundancy grounds.

In 2015, however, the Full Federal Court held in United Firefighters' Union of Australia v Country Fire Authority that, where there was voluntary agreement about such matters, there was no practical impairment of the State's capacity to function as a government. As a result of this decision, such matters may be included in enterprise agreements that cover constitutional corporations and their employees.

The Bill

The Bill proposes to refer to the Commonwealth certain matters concerning the number, identity and appointment of public sector employees (excluding law enforcement officers). The Bill is relevant for those employees in the public sector (excluding law enforcement officers) who are not employed by constitutional corporations and, accordingly, is relevant for the employers of such employees.

The proposed changes will enable those public sector employees and their employers to include in enterprise agreements enforceable terms dealing with matters such as minimum staffing levels, staffing ratios, or the number of casual, seasonal or fixed term employees.

The Bill also proposes to empower the Fair Work Commission to make workplace determinations in respect of those public sector employees and their employers which include agreed terms dealing with these matters.

However, the Bill does not propose to:

  • empower the Fair Work Commission to arbitrate bargaining disputes about these matters, or make an award including these matters in relation to public sector employers and employees; or
  • permit these matters to form part of an enterprise agreement, workplace determination, or other transferable instrument that applies to public sector employers and employees as a result of a transfer of business.

Accordingly, terms dealing with the number, identity and appointment of public sector employees may only be included in an instrument by agreement. As is the case with all terms to be included in enterprise agreements, employers will need to carefully consider the long-term implications.

Jacqueline Parker
Assistant Victorian Government Solicitor
03 90323011

This blog was prepared with the assistance of Jack Maxwell, Trainee Lawyer, and Emma Buckley Lennox, Seasonal Clerk.

Wednesday, 8 February 2017

Native Title Agreements: All registered native title claimants must sign, says Full Federal Court

The McGlade decision is of national significance and goes to which particular individuals must sign certain agreements under the Native Title Act. The case relates to the $1.3 billion Noongar settlement over the greater Perth area and WA's south west. The decision means that four of the six agreements in the settlement will not be indigenous land use agreements (ILUAs) because of the way they were signed and will not have the full force and effect that the signatories expected them to have under the Native Title Act.

While the case underlines the importance of strictly following the Act's requirements on agreement making, the Commonwealth is presently seeking to legislate to address situations where agreements may now be invalid following the Full Court's decision. A Bill for this purpose passed the lower house on 16 February.

The Bill's primary objectives include ensuring that ILUAs which do not contain the signatures of all members of the registered native title claimants can still be registered and enforceable. The Bill is also intended to apply retrospectively. Importantly though, it is yet to take effect as law. The Senate Legal and Constitutional Affairs Legislation Committee is expected to report on the Bill by 17 March 2017.

VGSO will be working closely with our clients who need assistance in making ILUAs to determine the impacts of these developments. The VGSO is Government's exclusive provider of legal services on native title.

We will bring you further updates as they come to hand.

James Stephens
Principal Solicitor

Friday, 27 January 2017

Personal Information and Metadata: Is the Telstra case really the most important Australian Privacy case to date? We're not so sure.

The Full Federal Court has taken a narrower view of 'personal information' under Commonwealth privacy law than the view preferred by the Australian Privacy Commissioner. However, the decision does not necessarily narrow the statutory definition.

The case related to a journalist's request to Telstra for metadata regarding his mobile phone. The Full Court disagreed with the Commissioner's appeal and confirmed that personal information must be 'about' an individual, and not only information from which the individual's identity could be reasonably ascertained.

The Court expressed doubts about the usefulness of the orders that the Commissioner wanted, and noted that applications by non-parties to make submissions relied on overseas laws with different wording, and appeared to raise issues that went beyond the point being appealed.

While a high level of attention has been given to the case, some commentary has not been substantiated in the decision itself. The case is likely to have limited impact on how the Victorian definition of 'personal information' is interpreted, and might have limited impact more generally because the decision itself is a narrow one. The Full Court did not decide whether the 'metadata' requested in that case was personal information, or rule on hypothetical examples or criteria to assess whether it was. Rather, it confirmed an evaluation will still be necessary in each case based on the facts and circumstances. This includes whether an item of information might be 'about' a person when considered along with other information. Also, the definition of 'personal information' in Commonwealth privacy law has changed since the time the decision relates to.

If you'd like to discuss any of the issues raised by this decision please call James Stephens or Snezana Stojanoska.

James Stephens
Principal Solicitor
03 9947 1422

Snezana Stojanoska
03 9947 1412

Wednesday, 30 November 2016

Vicarious liability - when will an employer be liable for the wrongful acts of an employee?

The recent High Court decision of Prince Alfred College Incorporated v ADC [2016] HCA 37 (PAC) provides guidance on the approach to be taken by courts in determining whether an employer is liable for the wrongful (criminal) acts of an employee. The previous leading case, New South Wales v Lepore [2003] HCA 4 (Lepore), provided no majority view in respect of this issue.

PAC is highly relevant to government departments and agencies, as it specifically concerns the approach to be applied in cases dealing with the abuse of vulnerable persons in educational, residential or care facilities, by persons employed in special positions with respect to these vulnerable persons.


In 1962, ADC was a 12-year-old boarder at Prince Alfred College in Adelaide (College). A senior housemaster and three housemasters, including Dean Bain (Bain), were in charge of the dormitories. Although the housemasters were present during meal times, prefects supervised the day-to-day activities of the junior boys, including showering and lights out. Bain was rostered on a few times a week, was often around during shower time, and told stories to the boys in the dormitory after lights out. The other housemasters did not supervise lights out and did not come into the dormitory. ADC alleged that Bain first molested him when Bain was telling a story during lights out, progressing to being molested in Bain's room, and on one occasion when Bain took him to a house where they spent the night together.

Primary proceeding 

ADC sued the College, arguing (among other things) that it was vicariously liable for Bain's abuse, which had caused him to suffer psychological injury. It was not in dispute that ADC had been abused by Bain, as he had been previously convicted of two counts of indecent assault against ADC. The primary judge dismissed the proceeding, declining to extend the time for ADC to bring proceedings. In respect of the vicarious liability claim, Vanstone J concluded that the sexual abuse was 'so far from being connected to Bain's proper role that it could neither be seen as being an unauthorised mode of performing an authorised act, nor in pursuit of the employer's business, nor in any sense within the course of Bain's employment'.

Appeal to Full Court

ADC appealed to the Full Court of the Supreme Court of South Australia, and was granted an extension of time to bring the proceeding. Each member of the Full Court also found the College to have been vicariously liable, but the approaches taken by the judges differed from that taken by the primary judge and differed as between themselves. Factors considered by the judges included the 'spectrum' of intimacy (in this case, ADC being a 12-year-old boarder with a housemaster exercising quasi-parental authority in respect of 'intimate' matters such as showering and bed), that the College enhanced the risk by allowing Bain access to the children without supervision, and that Bain was in a position of power over ADC, with respect to matters of order and discipline.

Appeal to High Court 

The High Court allowed the appeal by the College on the basis that an extension of time to commence the proceeding should not have been granted by the Full Court, and that the issue of liability should not have been considered by the primary judge (ie after the judge had determined the proceeding was out of time). However, the High Court acknowledged that, since Lepore, lower courts have been left in an uncertain position about the approach that should be taken in vicarious liability cases of this kind, and that there was a need for guidance to reduce the risk of unnecessary appellate processes arising out of the existing uncertainties.

The relevant approach 

The majority judgment held that the fact that a wrongful act is a criminal offence does not preclude the possibility of vicarious liability, it being possible that in the commission of that act, the employee used or took advantage of the position in which the employment placed the employee in relation to the victim.

Their Honours considered therefore that the relevant approach in determining vicarious liability is to consider any special role that the employer has assigned to the employee, and the subsequent relationship between the employee and the victim, with particular regard to the following features:

  • Authority;
  • Power;
  • Trust;
  • Control; and
  • The ability to achieve intimacy with the victim. 

It was noted that the latter feature may be especially important, it being conceivable that where an employee takes advantage of his or her position in these circumstances, that may suffice to determine that the wrongful act should be regarded as being committed in the course or scope of employment, and as such render the employer vicariously liable. However, their Honours also noted that it was conceivable that while unlawful acts committed in a workplace would attract vicariously liability, some or all of such other unlawful acts committed outside the workplace would not (for example, the offending by Bain which occurred in a house).

The minority judgment accepted that the relevant approach described in the majority judgment will now be applied in Australia, but noted that it does not and cannot prescribe an absolute rule, and that applications of the approach must and will develop case by case.

Andrea Robinson
Principal Solicitor

Anna English
Managing Principal Solicitor