Thursday 21 August 2014

Privacy Bill Passes

This week Victoria’s much anticipated Privacy and Data Protection Bill 2014 (PDP Bill) was passed by the Legislative Council. Once proclaimed, the new Act is set to commence no later than 9 December 2014. 

This Bill repeals the Information Privacy Act 2000 (IP Act) and the Commissioner for Law Enforcement Data Security Act 2005 (CLEDS Act), and creates a new office of the Commissioner for Privacy and Data Protection (Commissioner) with broad powers of oversight and enforcement. The Bill does not affect the existing legislative arrangements whereby Commonwealth agencies and some private sector entities and individuals are subject to the Privacy Act 1988 (Cth) (Commonwealth Privacy Act).  Victoria’s health privacy regime under the Health Records Act 2001 and related legislation is also unaffected by the Bill.

The Bill ushers in a new era with new emphases not only for privacy practitioners but also for public sector body Heads, who will need to pay close attention to their protective data security obligations.


Information Privacy – what’s different, what stays the same?

Provisions of the IP Act that are taken to be re-enacted include:
Schedule 1, the Information Privacy Principles (IPPs);
the requirement that public sector organisations generally must not do an act or engage in a practice that contravenes an IPP in respect of personal information they collect, hold, manage, use, disclose or transfer;
the codes of practice provisions; and
the information privacy complaints provisions.

A significant departure from the IP Act is the new provision (clause 20(3)) whereby an organisation is not required to comply with the IPPs in relation to an act or practice that is permitted under:

  1.  a public interest determination (PID), or a temporary public interest determination (TPID); or
  2. an approved information usage arrangement (IUA).

Similarly, under clause 16, for the purposes of this Bill, an act done or a practice engaged in by an organisation interferes with an individual’s privacy only if it is contrary to or inconsistent with an IPP or applicable code of practice, or a PID or TPID, or an IUA, or a current certificate issued pursuant to clause 55.


PIDs and TPIDs

 The Bill permits the Commissioner to make a written determination that where an act or practice of an organisation may or does breach:

  • an IPP (other than IPP 4, Data Security, or IPP 6, Access and Correction); or
  • an approved code of practice,

 it will not be regarded as an interference with privacy while the relevant determination is in force. TPIDs may be of up to 12 months’ duration.

Before making such a determination, the Commissioner must be satisfied that the public interest in the organisation doing the act or engaging in the practice substantially outweighs the public interest in its adhering to the relevant IPP or IPPs or applicable approved code of practice. This test is substantially the same as in s 72 of the Commonwealth Privacy Act. PIDs and TPIDs can be disallowed by either House of Parliament.


IUAs 

An IUA is an arrangement between permitted parties including organisations, agencies of the Commonwealth, another State or Territory, and private sector bodies that:

  1. sets out acts or practices for handling personal information to be undertaken for one or more public purposes as defined; and
  2. in respect of any of those acts or practices,
    i. modifies the application of or provides that the practice does not need to comply with an IPP (other than IPPs 4 and 6), or an approved code of practice; and/or
    ii. permits handling of personal information for the purposes of an ‘information handling provision’ – that is, a provision of an Act that permits handling of personal information as ‘authorised or required by law’ or by or under an Act, or in circumstances or for purposes required by law or by or under an Act.

The Bill details the information to be supplied to the Commissioner when an application for approval is submitted by the organisation that is the IUA’s designated ‘lead party’. Before an IUA may be approved by the relevant Minister or Ministers, the Commissioner must prepare a report and certify that the proposed IUA meets the same public interest test as for PIDs and TPIDs. The Commissioner may issue compliance notices in respect of IUAs, and they may be amended or revoked on specified grounds.


Certification

One additional new mechanism provides for the Commissioner to certify that a specified act or practice of an organisation is consistent with an IPP, an approved code of practice or an information handling provision. This should assist organisations where opinions may differ or there may otherwise be doubt as to the legality of a proposed action. The Commissioner’s certification may be reviewed by VCAT, but organisations who act in good faith on the basis of a certification will be protected while it is in force.


Protective data security

The protective data security provisions of Part 4 of the Bill apply, with specified exceptions, to public sector agencies, special bodies within the meaning of section 6 of the Public Administration Act 2004 and any bodies to which the Governor in Council declares them applicable.

‘Public sector data’ as defined is to be protected by a regime consisting of:

  • the Victorian protective data security framework, developed by the Commissioner;
  • protective data security standards (standards) (which may be either general or customised), to be issued by the Commissioner following approval by the Attorney-General and the Minister for Technology; and
  • protective data security plans (plans) based on the security risk profile assessments (risk assessments) to be undertaken by relevant agencies themselves.


A public sector body Head is accountable under the Bill for compliance with protective data security standards in respect of the public sector data their entity collects, holds, manages, uses, discloses and transfers, and for the public sector data systems their entity keeps. Unlike in respect of Part 3, Information Privacy, the Bill does not provide for the Commissioner to have any direct authority over an entity’s contracted service providers (CSPs). Rather, the relevant public sector body Head must ensure that the entity’s CSPs comply with the applicable standards and plans. Plans based on the risk assessments are to be completed within two years after the publication of the standards. These plans must be provided to the Commissioner, and public sector body Heads must ensure that their plans are reviewed if circumstances change, or otherwise every two years.


What about law enforcement data security?

Together with the PDP Bill, the Crime Statistics Bill 2014 (CS Bill) was also passed by the Upper House this week. The security of law enforcement data is separately provided for in Part 5 of the Bill, which applies to Victoria Police and the Chief Statistician, together with the Chief Statistician’s employees or consultants, under section 6 of the CS Bill.  The Bill provides for the Commissioner to issue law enforcement data security standards (law enforcement data security standards), and it is intended that there be no gap in the application of the existing 2007 law enforcement data standards under the CLEDS Act and those provided for under the Bill. To the extent that there is any inconsistency between a law enforcement data security standard and a standard, the law enforcement data security standard prevails.

Part 6 of the Bill gives the Commissioner significant powers to require access to data, data systems and crime statistics data and to take copies or extracts of that data. If, in the course of conducting a compliance audit in respect of Parts 4 and 5 of the Bill, the Commissioner considers that any matter requires urgent attention, it may be referred to appropriate persons or bodies including the Ombudsman, the Director of Public Prosecutions and the Independent Broad-based Anti-corruption Commission (IBAC). The Commissioner may in any case disclose any information obtained in connection with the Commissioner’s functions to the IBAC if the information is relevant to functions or duties of the IBAC.

If you are in the Victorian Government and would like assistance to ensure that your agency’s privacy practices comply with the IP Act, or for advice concerning the imminent new Act, call:


Carolyn Doyle
 Managing Principal Solicitor
 carolyn.doyle@vgso.vic.gov.au
 9947 1403

Deidre Missingham
 Senior Solicitor
 deidre.missingham@vgso.vic.gov.au
 8684 0483


Privacy and Data Protection Bill 2014 Workshops for the Victorian  Public Sector 

VGSO has held a number of small-group workshops to assist clients to understand the scope of their obligations under the Bill.

Places are still available for the final workshop on Friday 29 August 2014 via www.vgso.vic.gov.au .

To request information about customised training or join the waitlist for future workshops please contact Carrie Anderson 9947 1446 or carrie.anderson@vgso.vic.gov.au.