Privacy Bill Goes Public

This week Victoria’s much anticipated Privacy and Data Protection Bill 2014 (PDP Bill) was introduced into Parliament, and second-read yesterday by the Attorney-General. The Bill reflects the Government’s 2012 commitment to strengthening the protection of personal and other information handled by Victorian government agencies.

This Bill repeals the Information Privacy Act 2000 (IP Act) and the Commissioner for Law Enforcement Data Security Act 1995 (CLEDS Act), and creates a new office of the Commissioner for Privacy and Data Protection (Commissioner) with broad powers of oversight and enforcement. The Bill does not affect the existing legislative arrangements whereby Commonwealth agencies and some private sector entities and individuals are subject to the Privacy Act 1988 (Cth) (Commonwealth Privacy Act).  Victoria’s health privacy regime under the Health Records Act 2001 and related legislation is also unaffected by the Bill.

Nevertheless, if the Bill is passed and assented to, it will usher in a new era with new emphases not only for privacy practitioners but also for public sector body Heads, who will need to pay close attention to their protective data security obligations.

Information Privacy – what’s different, what stays the same?

Provisions of the IP Act that are taken to be re-enacted include:

• Schedule 1, the Information Privacy Principles (IPPs);
• the requirement that public sector organisations generally must not do an act or engage in a practice that contravenes an IPP in respect of personal information they collect, hold, manage, use, disclose or transfer;
• the codes of practice provisions; and
• the information privacy complaints provisions.

A significant departure from the IP Act is the new provision (clause 20(3)) whereby an organisation is not required to comply with the IPPs in relation to an act or practice that is permitted under:

1. a public interest determination (PID), or a temporary public interest determination (TPID); or
2. an approved information usage arrangement (IUA).

Similarly, under clause 16, for the purposes of this Bill, an act done or a practice engaged in by an organisation interferes with an individual’s privacy only if it is contrary to or inconsistent with an IPP or applicable code of practice, or a PID or TPID, or an IUA, or a current certificate issued pursuant to clause 55.

PIDs and TPIDs

The Bill permits the Commissioner to make a written determination that where an act or practice of an organisation may or does breach:

• an IPP (other than IPP 4, Data Security, or IPP 6, Access and Correction); or
• an approved code of practice,

it will not be regarded as an interference with privacy while the relevant determination is in force. TPIDs may be of up to 12 months’ duration.

Before making such a determination, the Commissioner must be satisfied that the public interest in the organisation doing the act or engaging in the practice substantially outweighs the public interest in its adhering to the relevant IPP or IPPs or applicable approved code of practice. This test is substantially the same as in s 72 of the Commonwealth Privacy Act. PIDs and TPIDs can be disallowed by either House of Parliament.

IUAs 

An IUA is an arrangement between permitted parties including organisations, agencies of the Commonwealth, another State or Territory, and private sector bodies that:

1. sets out acts or practices for handling personal information to be undertaken for one or more public purposes as defined; and
2. in respect of any of those acts or practices,
   i. modifies the application of or provides that the practice does not need to comply with an IPP (other than IPPs 4 and 6), or an approved code of practice; and/or
   ii. permits handling of personal information for the purposes of an ‘information handling provision’ – that is, a provision of an Act that permits handling of personal information as ‘authorised or required by law’ or by or under an Act, or in circumstances or for purposes required by law or by or under an Act.

The Bill details the information to be supplied to the Commissioner when an application for approval is submitted by the organisation that is the IUA’s designated ‘lead party’. Before an IUA may be approved by the relevant Minister or Ministers, the Commissioner must prepare a report and certify that the proposed IUA meets the same public interest test as for PIDs and TPIDs. The Commissioner may issue compliance notices in respect of IUAs, and they may be amended or revoked on specified grounds.

Certification

One additional new mechanism provides for the Commissioner to certify that a specified act or practice of an organisation is consistent with an IPP, an approved code of practice or an information handling provision. This should assist organisations where opinions may differ or there may otherwise be doubt as to the legality of a proposed action. The Commissioner’s certification may be reviewed by VCAT, but organisations who act in good faith on the basis of a certification will be protected while it is in force.

Protective data security

The protective data security provisions of Part 4 of the Bill apply, with specified exceptions, to public sector agencies, special bodies within the meaning of section 6 of the Public Administration Act 2004 and any bodies to which the Governor in Council declares them applicable.

‘Public sector data’ as defined is to be protected by a regime consisting of:

• the Victorian protective data security framework, developed by the Commissioner;
• protective data security standards (standards) (which may be either general or customised), to be issued by the Commissioner following approval by the Attorney-General and the Minister for Technology; and
• protective data security plans (plans) based on the security risk profile assessments (risk assessments) to be undertaken by relevant agencies themselves.

A public sector body Head is accountable under the Bill for compliance with protective data security standards in respect of the public sector data their entity collects, holds, manages, uses, discloses and transfers, and for the public sector data systems their entity keeps. Unlike in respect of Part 3, Information Privacy, the Bill does not provide for the Commissioner to have any direct authority over an entity’s contracted service providers (CSPs). Rather, the relevant public sector body Head must ensure that the entity’s CSPs comply with the applicable standards and plans. Plans based on the risk assessments are to be completed within two years after the publication of the standards. These plans must be provided to the Commissioner, and public sector body Heads must ensure that their plans are reviewed if circumstances change, or otherwise every two years.

What about law enforcement data security?

Together with the Bill, the Crime Statistics Bill 2014 has also been introduced in to Parliament. The security of law enforcement data is separately provided for in Part 5 of the Bill, which applies to Victoria Police and the Chief Statistician, together with the Chief Statistician’s employees or consultants, under section 6 of the Crime Statistics Bill.  The Bill provides for the Commissioner to issue law enforcement data security standards (law enforcement data security standards), and it is intended that there be no gap in the application of the existing 2007 law enforcement data standards under the CLEDS Act and those provided for under the Bill. To the extent that there is any inconsistency between a law enforcement data security standard and a standard, the law enforcement data security standard prevails.

Part 6 of the Bill gives the Commissioner significant powers to require access to data, data systems and crime statistics data and to take copies or extracts of that data. If, in the course of conducting a compliance audit in respect of Parts 4 and 5 of the Bill, the Commissioner considers that any matter requires urgent attention, it may be referred to appropriate persons or bodies including the Ombudsman, the Director of Public Prosecutions and the Independent Broad-based Anti-corruption Commission (IBAC). The Commissioner may in any case disclose any information obtained in connection with the Commissioner’s functions to the IBAC if the information is relevant to functions or duties of the IBAC.

This Bill is yet to be debated in Parliament, and is sure to attract considerable public attention and comment over the coming weeks. Meanwhile, if you are in the Victorian Government and would like assistance to ensure that your agency’s privacy practices comply with the IP Act, call:

Carolyn Doyle
Managing Principal Solicitor
carolyn.doyle@vgso.vic.gov.au
9947 1403

Deidre Missingham
Senior Solicitor
deidre.missingham@vgso.vic.gov.au

 Forthcoming seminar for the Victorian Public Sector 

VGSO is delighted to announce that the speaker at our seminar on 22 July will be David Watts, who is currently the Acting Privacy Commissioner and CLEDS Commissioner. Also presenting will be Deidre Missingham who, on secondment from the VGSO to the Department of Justice, was the Senior Legal Policy Officer and principal instructor in relation to the new Bill.

To reserve a seat at this seminar, please contact VGSO via marketing.team@vgso.vic.gov.au.

 Privacy and Data Protection Bill 2014 Workshops for the Victorian  Public Sector 

VGSO is holding small-group workshops on the following dates to assist clients to understand the scope of their obligations under this new Bill.
• Friday 8 August
• Monday 11 August
• Friday 15 August
• Tuesday 19 August

To register your interest in these workshops please contact Carrie Anderson 9947 1446 or carrie.anderson@vgso.vic.gov.au.