The 2018-2019 Victorian Budget: Does your project involve Information Sharing?

The Victorian Budget 2018-19 included allocation of funds to a wide range of areas where government needs to balance privacy concerns with the benefits of sharing information.  Common areas where this arise are in family violence and in the health, disability, justice and education sectors.

A key announcement in the Budget was the allocation of $13.4 million (and $30 million over the forward estimates) to support a new whole of Government initiative known as the 'Child Information Sharing Reforms'.  This initiative is underpinned by the Children Legislation Amendment (Information Sharing) Act 2018 which came into force on 10 April 2018.  The reforms seek to protect vulnerable children by simplifying and improving information sharing arrangements between specified government agencies and service providers.

Knowing when and how to lawfully disclose information in different contexts is vital.  However, an overly legalistic or unbalanced approach can lead to an unwillingness to share information, which may result in negative outcomes for Victorians, particularly for vulnerable families experiencing family violence who rely on a number of integrated support services, built on effective information sharing. 

A key objective of the Child Information Sharing Reforms is to promote child wellbeing and safety by enabling information sharing.  Budget funding will target training for workers to understand when it is appropriate to share information, to improve early risk identification and intervention and increase collaboration for the wellbeing and safety of children. 

VGSO has extensive experience in advising on information sharing in a wide range of different contexts.  Please call one of our experts in this area if you require assistance in understanding how to discharge your obligations when sharing information: 

Julie Freeman

Assistant Victorian Government Solicitor 

9947 1404

Rebecca Radford

Managing Principal Solicitor 

9947 1403

Victorian Government releases its first cyber security strategy

Gavin Jennings the Special Minister of State announced the Victorian Government Cyber Security Strategy on 25 August 2017.  The Victorian Government Solicitor's Office is proud to host a panel discussion on Monday 23 October 2017 regarding Cyber Security and the whole of Victorian Government approach to improve capability and resilience. The event is free and all members of the Victorian Public Service are welcome to attend. You can register for the event here.

The Strategy is to bring a whole of government approach to cyber security to help Victorian Government digital infrastructure better respond to the evolving cyber security environment.  The strategy notes that the security environment is becoming significantly more sophisticated, and as such a more sophisticated approach to cyber security is warranted. This is addressed in 23 action points in 5 categories of action.

Previously, cyber security has been managed on an agency by agency basis, with guidance from sources such as the Victorian Protective Data Security Framework.  The strategy aims to leverage all Government learning in the area, in recognition that not all agencies have the same resources to deal with the cyber threat.

The key element announced is the creation of the Chief Information Security Officer within the Department of Premier and Cabinet. Mr John O'Driscoll has been appointed to the role and will be responsible for overseeing Government's response to the cyber threat, developing best practice, providing assurance, reporting internally on the Government's cyber security status and coordinating cross Government action. You can read the media release announcing the appointment here.

The strategy also aims to enhance Government capability in terms of strategic planning, reporting and technical proficiency, both through partnering agreements and a dedicated push for skilled workers.

We anticipate rapid change in this space, with 19 of the 23 action points due to be delivered by April 2018.

If you'd like to discuss managing the legal risks relating to a cyber security breach, please contact us:

Isabel Parsons
Managing Principal Solicitor
9947 1405

Tina Lee
Principal Solicitor
9947 1426

James Stephens
Principal Solicitor
9947 1422

Stuart Taylor
Solicitor
9947 1415

Coming soon! Cyber security audits announced by VAGO

The Victorian Auditor-General’s Office (VAGO) has this month announced plans to conduct audits on departments and agencies to assess their implementation of the Victorian Protective Data Security Framework (VPDSF) and Victorian Protective Data Security Standards (VPDSS), as well as cyber security strategy.

The audits, to run in 2018-19, will ascertain whether the VPDSF and VPDSS have been effective in improving cyber resilience in government to determine whether departments and agencies can adequately prevent, respond to and recover from cyber security attacks.

The Commissioner for Privacy and Data Protection released the VPDSF and VPDSS in mid-2016 to provide direction for Victorian public sector agencies on their data security obligations.  Department heads must prepare Protective Data Security Plans to address the VPDSS and submit the plan to the Commissioner.

Whilst VAGO will be undertaking performance audits for the purpose of ascertaining the effectiveness of the VPDSF and VPDSS in improving government's cyber resilience, the Commissioner may also conduct monitoring and assurance activities, including audits, to ascertain whether departments and agencies are complying with data security standards.

If you would like to know more, contact:

Rebecca Radford
9947 1403

Snezana Stojanoska
9947 1412

James Stephens
 9947 1422

Don't buy a data breach - Privacy and data security when procuring goods and services

At our recent monthly seminar 'Information Sharing and Data Protection - Know your Value', we discussed the importance of monitoring suppliers to mitigate privacy and data breaches.  This data security theme was continued during the Commissioner for Privacy and Data Protection's recent Privacy Awareness Week.

Remember these key messages and tips to help minimise the risk of your procurement experiencing a data or privacy breach:

Value your Data

From the outset, think about the value of the data that your supplier will collect or have access to during the arrangement.  This will enable you to determine the appropriate information handling and privacy requirements you'll need.

Choose the Right Supplier 

Ensure that your information handling and privacy requirements are part of your sourcing plan and clearly set out in your market facing documents.  Award a contract to a supplier who can demonstrate a good track record of understanding and implementing privacy and data security.

One size does not fit all  

Your risk management strategy needs to be proportionate and tailored to the size and activity of your procurement.  Data heavy supply arrangements may need to consider additional protections, including how information will be managed when a supplier transitions out.

Monitor your supplier's performance against the contract 

The words in the agreement are important, but ongoing contract management is necessary for early detection of possible data and privacy breaches.

If you'd like assistance on managing your suppliers to meet your information handling obligations, please contact:

Rebecca Radford
9947 1403

James Stephens
99471422

Snezana Stojanoska
9947 1412

Victorian Commissioner for Privacy and Data Protection Report - Learnings and Hurdles

A recent Commissioner for Privacy and Data Protection (CPDP) report on information governance at the Department of Health and Human Services (DHHS) provides valuable guidance to assist government agencies to comply with the Privacy and Data Protection Act 2014 (Act) and the Victorian Protective Data Security Standards, in particular.  Below we look at key learnings that other agencies can take on board as part of their own compliance preparation.

A high priority: manage your contracted service providers

Department and agency heads will be responsible for ensuring that both their own organisations and their Contracted Service Providers (CSP) comply with the Standards.  Contract terms making CSPs liable for compliance with the Information Privacy Principles won't remove the risk of privacy and data security incidents occurring.

The finding in the Report showed that while agencies must ensure their agreements with CSPs are consistent and reflect up to date information governance requirements, there needs to be appropriate and effective resourcing, due diligence and monitoring of CSP compliance too.  Without appropriate monitoring, there is a greater risk of incidents which could mean that the agency may not have met its obligations under the Act.

Achieving compliance with the Victorian Protective Data Security Standards

The Report recognises that not all Victorian Public Sector organisations may be fully compliant with the Standards by July 2018.  Showing that you are on track is crucial though, and submitting a security assessment and plan to the CPDP is mandatory.  Further, the CPDP recognises that some agencies may already comply with much of the Standards by having implemented the Information Security Management Framework (2009) and through annual reporting to the Victorian Auditor-General's Office.  The steps required to achieve compliance will not necessarily be the same for all agencies or wholly new or particularly onerous.

Other factors to consider in your compliance framework

• Are your information policies and procedures consistent and do they reference each other?  Are your staff aware of where to find them, and are they regularly checked and updated?
• Does your organisation have up to date privacy and data security incident management procedures? Does your organisation need defined criteria of when to notify others and escalate incidents?
• Have you developed scenario-based privacy and data-security training for CSPs and your frontline staff based on their day-to-day roles?
• Do you need an information asset register?  This can identify the information you handle, its value, risks and regulatory requirements, and how to use and manage it.

If you have any queries regarding privacy law in Victoria, please call:

Rebecca Radford
Managing Principal Solicitor
9947 1403

Molina Asthana
Principal Solicitor
9947 1420

James Stephens
Principal Solicitor
9947 1422

Personal Information and Metadata: Is the Telstra case really the most important Australian Privacy case to date? We're not so sure.

The Full Federal Court has taken a narrower view of 'personal information' under Commonwealth privacy law than the view preferred by the Australian Privacy Commissioner. However, the decision does not necessarily narrow the statutory definition.

The case related to a journalist's request to Telstra for metadata regarding his mobile phone. The Full Court disagreed with the Commissioner's appeal and confirmed that personal information must be 'about' an individual, and not only information from which the individual's identity could be reasonably ascertained.

The Court expressed doubts about the usefulness of the orders that the Commissioner wanted, and noted that applications by non-parties to make submissions relied on overseas laws with different wording, and appeared to raise issues that went beyond the point being appealed.

While a high level of attention has been given to the case, some commentary has not been substantiated in the decision itself. The case is likely to have limited impact on how the Victorian definition of 'personal information' is interpreted, and might have limited impact more generally because the decision itself is a narrow one. The Full Court did not decide whether the 'metadata' requested in that case was personal information, or rule on hypothetical examples or criteria to assess whether it was. Rather, it confirmed an evaluation will still be necessary in each case based on the facts and circumstances. This includes whether an item of information might be 'about' a person when considered along with other information. Also, the definition of 'personal information' in Commonwealth privacy law has changed since the time the decision relates to.

If you'd like to discuss any of the issues raised by this decision please call James Stephens or Snezana Stojanoska.

James Stephens
Principal Solicitor
03 9947 1422

Snezana Stojanoska
Solicitor
03 9947 1412

Shining a light on innovation…

Everyone is talking about innovation - the Commonwealth Government wants us to be an 'innovation nation' and entrepreneurs like Elon Musk and Steve Jobs are the rock stars of our era.  Innovation is often associated with technology, investment banking and start ups.  Like all stereotypes, it tells only part of the story.  Some of the most interesting innovation is happening in our backyard - the Victorian public sector.

In addition to encouraging innovation in the private sector, the Victorian Government is encouraging the public sector to consider how we can perform our functions and deliver public services better. What is better depends on what you are trying to achieve - it might mean 'better', in the sense that a citizen gets the public service they need more quickly and easily; it might mean 'better', in the sense of more efficient use of public money; or maybe it means 'better' in the sense of a new function being performed that was previously thought to be impossible or outside of the capacity of the public sector.

The Victorian Government is supporting the public sector to act on their innovative ideas through:

• The Public Sector Innovation Fund provides funding support for pilot projects that test or prove new knowledge, technologies, processes or practices to deliver public value and that can be scaled or replicated across government.  Grants of $50,000 to $400,000 are available.
• At the Australian Information Industry Association iAwards, the Premier will award the inaugural iAward for Public Sector Innovation.The winner will be revealed on 1 September 2016.

Examples of projects already funded by the Public Sector Innovation Fund include:

• Code for Victoria Challenge, in which three teams of Code for Australia Fellows will be placed within government departments for six months . The Fellows will create new tools or streamline processes that will make government information more open and accessible online, and improve the delivery of government services.   The first round of the Code for Victoria Innovation Challenge recipients have just been announced this week. 
• The 2016 Budget Hack brought together the public sector, the tech community and industry leaders to find new and better ways to visualise, use and leverage data from the State Budget.  The winning entry, Bling My Suburbs, allows users to search budget information by suburb.  The other entries in the top three included Budget Pie, which allows a user to see how much funding was allocated to the issues affecting them (I.e. How much of the pie do my issues get?!), and Ask Budget, which uses a word cloud to identify how frequently an issue was mentioned and then summarises the mentions.

Many of the innovations are not complicated and nor did they require a Steve Jobs to think of them. Many of the examples of public sector innovation start with an idea or feedback from a citizen.  For example:

• Service Victoria is creating a 'one stop shop' for citizens looking for government information.  I tried it out on my sister, who is moving house this weekend. Through some simple questions asked of the website over dinner, my sister found the right places to change her driver's licence, find out who her new council and MPs are, when her hard rubbish collection is and how much her rates will be.  Service Victoria received additional funding in the recent State Budget, which will enable them to implement its objective of digitising more government transactions. 
• EPA AirWatch provides visual information on air quality on an hourly basis.  Using a Google map, the user can see the status of air quality at a monitoring station (Very Good, Good, Poor, etc) and then see a more detailed break down of the readings, including a health category.
• The online family violence intervention application form [] allows people to apply for intervention orders online, rather than by submitting a paper form.  The online format allows high risk cases to be flagged and brought to the attention of a magistrate earlier.  The form has been piloted at the Neighbourhood Justice Centre and, with a grant from the Public Sector Innovation Fund, will now be rolled out to the Magistrates' Court.

Innovation is also happening in government legal services.

• Government departments are exploring ways in which government can benefit from 'the new legal paradigm', in which technology and new business models are reducing legal costs and communication styles are changing.  Some departments have started the conversation with panel law firms.
• VGSO has appointed its first Innovation Counsel who has challenged and evangelised our lawyers to explore with government agencies how legal services can be delivered in ways that better meet the needs of government.

Everyone is talking innovation - and the Victorian public sector is doing innovation.  How is your agency innovating?  What do you think the public sector could do differently or better?  Tell us your thoughts in the comments.

To find out more please contact:

Katie Miller
Innovation Counsel

Andrew Suddick
General Counsel

Joanne Kummrow
Special Counsel

Smile, you could be on 'body worn camera'

Take a closer look at all the gadgets and equipment worn by your local police officer and you might notice a small vest-mounted video camera attached to his or her lapel.  The camera,  called a body worn camera (BWC), records police interactions with the public and they may soon be worn by front line officers across the country.

According to news reports, BWCs are popular and have been trialled in every Australian state. For example:

• In the Northern Territory a reported 40 front line officers are officially trialling the equipment, and the Northern Territory Police Association estimates that three-quarters of their force have already bought and are using personal cameras;
• In Queensland, the Palaszczuk government reportedly has committed significant funds for BWCs;  
• In Victoria, Frankston police trialled 22 BWCs in 2013-2014, and Victoria Police is currently evaluating the project in anticipation of expansion.  

Even in the US, President Obama has reportedly asked Congress for $263 million over three years for 50,000 BWCs across the country following the tragic events in Ferguson, Missouri. It wouldn't be surprising to see the use of BWC's extend beyond policing to other areas of enforcement - perhaps parking inspectors, park rangers or fisheries officers keen to document their encounters on duty.

What are their key advantages?

1. Potential reduction in violence.

There is little data on the efficacy of BWCs, but what exists is positive.  The most widely cited study tracked their use by police in Rialto, California.  There, Cambridge researchers found that the use of BWCs decreased incidents of the use of force by 59% and complaints against police by 87%.

Although limited, the study suggests that people are less willing to resort to violence and that police behaviour improves when both parties know they are being recorded, and it also appears to deter members of the public from bringing spurious complaints.

2. Use as an evidentiary tool.

For investigating and prosecuting agencies, the BWC is no doubt appealing as an evidentiary tool.  Clear, verifiable footage captured by BWCs could reduce hours in court examining and verifying the veracity of oral accounts.  This in turn would reduce the public resources spent on each trial and enable courts to hear more cases in less time.

However, investigating agencies using or considering using BWC footage as evidence will need to take into account a range of factors including:

• Admissibility requirements. The admissibility of footage captured by body worn cameras will generally be governed by the principles which apply to the admissibility of evidence in general.  In Victoria these principles are set out in the Evidence Act 2008, which generally provides that evidence is admissible if it is relevant to the issues in dispute between the parties and either is not hearsay or, if hearsay, falls within an exception to the hearsay rule.  However, depending on the jurisdiction in which the dispute is brought, other provisions may be applicable: see for example s 98(1)(b) of the Victorian Civil and Administrative Tribunal Act 1998.
• Pre-trial disclosure requirements. Agencies will need to be equipped to hand over relevant footage, or at least have facilities for defence lawyers to view the footage in a secure setting.  Whether interested parties, including the media, can access footage when no prosecution is on foot will be another matter for determination.

Other legal considerations

Privacy 

To date, no specific Victorian legislation removes the statutory privacy obligations of police and other agencies using BWCs.  Agencies intending to use BWCs should therefore ensure that their use complies with legislation regulating the collection, use and disclosure of personal and health information, and in particular the Charter of Human Rights and Responsibilities Act 2006, the Privacy and Data Protection Act 2014 (PDP Act) and the Health Records Act 2001. Notably, the law enforcement exemption to the PDP Act, if applicable, would allow Victoria Police to collect, use, disclose and restrict access to information recorded by BWCs when reasonably necessary to carry out law enforcement functions. In some circumstances the Surveillance Devices Act 1999 may also apply. Amendments to privacy notices are likely to be required.

The law also restricts publication of personal and sensitive information including details of sexual assault, family violence victims and children involved in court proceedings, and information that could prejudice the fairness of any pending or in progress trials.  Agencies will need to be especially careful to identify and appropriately deal with personal information of third parties that is captured in background events and peripheral conversations.

Data retention

Information collected via BWCs must be securely stored and otherwise dealt with in accordance with legislation, including the Public Records Act 1973 and the PDP Act Parts 4 and 5 as applicable.  From a practical perspective, continuous recording could mean enormous data storage costs, so agencies will need to develop policies on when to turn the cameras on and off. For example, it has been reported that the practice in the Northern Territory is to turn on the BWC only when police exercise their powers or 'make customer contact or custody'.

For further information on these issues please contact members of our Policing Practice Group or Technology and Data Protection Practice Group:

Louise Jarrett
Managing Principal Solicitor
t 9247 6798
louise.jarrett@vgso.vic.gov.au

Grahame Best
Solicitor
t 9247 6425
grahame.best@vgso.vic.gov.au

Deidre Missingham
Senior Solicitor
t 8684 0483
deidre.missingham@vgso.vic.gov.au

To retain or not to retain, that is the question: PROV's new record keeping policy

 Interest in records management tends to be events driven.  Last year the release of the Privacy and Data Protection Act 2014 (PDP Act) heightened awareness of data security issues for government entities.  Then in the lead up to the 2014 State election, minds were turned to which documents should be retained, or not retained, as the case may be.  

But best-practice records management presents constant challenges in respect of both form and content of records.  Records now come in diverse forms - not only traditional paper documents and record-keeping or business systems, but also email and social media accounts and network drives, for example.  But their significance is premised on their nature and content, which in some cases can be difficult to assess. 

Additional guidance is now to hand.

New policy released

In February this year, Public Record Office Victoria (PROV) released an over-arching policy on record-keeping for the Victorian Government, pursuant to its responsibility for collecting and preserving records from all Victorian government and local governing bodies whose records are public records under the Public Records Act 1973 (PR Act).    

PROV's new 'Record Keeping Policy: Appraisal Statement for Public Records required as State Archives' (Appraisal Statement) sets out the key appraisal considerations for specifying and identifying those Victorian records that are of permanent value to the Government and people of Victoria.  

What is 'appraisal'?

Appraisal is the process by which those records that are required for preservation as State Archives are identified by Government agencies.  In PROV's words:

appraisal is a planned and documented process based on research and analysis to provide transparent, reasoned and consistent reasons for the retention or non-retention of records. It is a reasonably complex, judicious and somewhat subjective process that involves the evaluation of the continuing value of records for the government and community against the cost of retaining and keeping the records accessible in perpetuity.

PROV has divided the characteristics of records of enduring value into the following six categories:

1. The authority, establishment and structure of government;
2.  Primary functions and programs of government;
3. Enduring rights and entitlements (of individuals and groups);
4. Significant impact on individuals;
5. Environmental management and change; and
6. Significant contribution to community memory.

Some of these activities and associated records are relatively self-evident.  For example, in respect of the second category, PROV lists the State budget papers as an example of 'Records that illustrate the government's role in the management of the Victorian economy'. 

However other categories, notably the fourth, are potentially more problematic.  Here PROV's guidance is particularly useful in circumstances where appraisal decisions may affect the 'most vulnerable members of Victorian society'.  Records listed as potentially falling into category four include:

• Collections and analyses of data compiled for planning and decision making;
• Representations and appeals against the decisions/actions of government or legislature; and
• Petitions documenting significant community opposition to government actions or policies.

Records not of permanent value

But what about those records appraised as not being of permanent value? All public records must continue to be retained for as long as they're needed to meet Government's administrative needs and legislative requirements, and to support accountability and community expectations. Section 19 of the PR Act has the effect that it is unlawful to dispose of or destroy a public record other than in accordance with a Standard made under s 12.  Minimum periods are set out in the Standards, or Retention and Disposal Authorities, issued by PROV for use by Government agencies.

Retention periods and personal information

Since opinions may differ as to how an individual record should be categorised in light of the Standards, these minimum periods are not without controversy, particularly in light of the requirements of Information Privacy Principle (IPP) 4.2 of the PDP Act (and its predecessor in the Information Privacy Act 2000).  IPP 4.2 requires destruction or permanent de-identification of personal information 'if it is no longer needed for any purpose'. 

The PR Act prevails over IPP 4.2 as a result of s 6 of the PDP Act (and previously s 6 of the IP Act).  Decisions of the Victorian Civil and Administrative Tribunal have accepted that personal information retained pursuant to a requirement of the PR Act is still relevantly 'needed' for a purpose (Caripis v Victoria Police(Health and Privacy) [2012] VCAT 1472; Zeqajv Victoria Police (Human Rights) [2013] VCAT 2105). 

Agencies should therefore be aware that retention of personal information beyond the retention period specified in a relevant Standard increases their risk if a complaint is made under IPP 4.2.  Moreover, when protective data security standards are released this year under the PDP Act, agencies may need to reevaluate the cost of managing any records that they are not required to retain.

If you are in the Victorian Government and would like assistance in respect of your agency's records management or privacy obligations, contact:

Carolyn Doyle

Managing Principal Solicitor

9947 1403

Deidre Missingham

Senior Solicitor

8684 0483

---

Privacy Bill Passes

This week Victoria’s much anticipated Privacy and Data Protection Bill 2014 (PDP Bill) was passed by the Legislative Council. Once proclaimed, the new Act is set to commence no later than 9 December 2014. 

This Bill repeals the Information Privacy Act 2000 (IP Act) and the Commissioner for Law Enforcement Data Security Act 2005 (CLEDS Act), and creates a new office of the Commissioner for Privacy and Data Protection (Commissioner) with broad powers of oversight and enforcement. The Bill does not affect the existing legislative arrangements whereby Commonwealth agencies and some private sector entities and individuals are subject to the Privacy Act 1988 (Cth) (Commonwealth Privacy Act).  Victoria’s health privacy regime under the Health Records Act 2001 and related legislation is also unaffected by the Bill.

The Bill ushers in a new era with new emphases not only for privacy practitioners but also for public sector body Heads, who will need to pay close attention to their protective data security obligations.

Information Privacy – what’s different, what stays the same?

Provisions of the IP Act that are taken to be re-enacted include:
• Schedule 1, the Information Privacy Principles (IPPs);
• the requirement that public sector organisations generally must not do an act or engage in a practice that contravenes an IPP in respect of personal information they collect, hold, manage, use, disclose or transfer;
• the codes of practice provisions; and
• the information privacy complaints provisions.

A significant departure from the IP Act is the new provision (clause 20(3)) whereby an organisation is not required to comply with the IPPs in relation to an act or practice that is permitted under:

1.  a public interest determination (PID), or a temporary public interest determination (TPID); or
2. an approved information usage arrangement (IUA).

Similarly, under clause 16, for the purposes of this Bill, an act done or a practice engaged in by an organisation interferes with an individual’s privacy only if it is contrary to or inconsistent with an IPP or applicable code of practice, or a PID or TPID, or an IUA, or a current certificate issued pursuant to clause 55.

PIDs and TPIDs

 The Bill permits the Commissioner to make a written determination that where an act or practice of an organisation may or does breach:

• an IPP (other than IPP 4, Data Security, or IPP 6, Access and Correction); or
• an approved code of practice,

 it will not be regarded as an interference with privacy while the relevant determination is in force. TPIDs may be of up to 12 months’ duration.

Before making such a determination, the Commissioner must be satisfied that the public interest in the organisation doing the act or engaging in the practice substantially outweighs the public interest in its adhering to the relevant IPP or IPPs or applicable approved code of practice. This test is substantially the same as in s 72 of the Commonwealth Privacy Act. PIDs and TPIDs can be disallowed by either House of Parliament.

IUAs 

An IUA is an arrangement between permitted parties including organisations, agencies of the Commonwealth, another State or Territory, and private sector bodies that:

1. sets out acts or practices for handling personal information to be undertaken for one or more public purposes as defined; and
2. in respect of any of those acts or practices,
   i. modifies the application of or provides that the practice does not need to comply with an IPP (other than IPPs 4 and 6), or an approved code of practice; and/or
   ii. permits handling of personal information for the purposes of an ‘information handling provision’ – that is, a provision of an Act that permits handling of personal information as ‘authorised or required by law’ or by or under an Act, or in circumstances or for purposes required by law or by or under an Act.

The Bill details the information to be supplied to the Commissioner when an application for approval is submitted by the organisation that is the IUA’s designated ‘lead party’. Before an IUA may be approved by the relevant Minister or Ministers, the Commissioner must prepare a report and certify that the proposed IUA meets the same public interest test as for PIDs and TPIDs. The Commissioner may issue compliance notices in respect of IUAs, and they may be amended or revoked on specified grounds.

Certification

One additional new mechanism provides for the Commissioner to certify that a specified act or practice of an organisation is consistent with an IPP, an approved code of practice or an information handling provision. This should assist organisations where opinions may differ or there may otherwise be doubt as to the legality of a proposed action. The Commissioner’s certification may be reviewed by VCAT, but organisations who act in good faith on the basis of a certification will be protected while it is in force.

Protective data security

The protective data security provisions of Part 4 of the Bill apply, with specified exceptions, to public sector agencies, special bodies within the meaning of section 6 of the Public Administration Act 2004 and any bodies to which the Governor in Council declares them applicable.

‘Public sector data’ as defined is to be protected by a regime consisting of:

• the Victorian protective data security framework, developed by the Commissioner;
• protective data security standards (standards) (which may be either general or customised), to be issued by the Commissioner following approval by the Attorney-General and the Minister for Technology; and
• protective data security plans (plans) based on the security risk profile assessments (risk assessments) to be undertaken by relevant agencies themselves.

A public sector body Head is accountable under the Bill for compliance with protective data security standards in respect of the public sector data their entity collects, holds, manages, uses, discloses and transfers, and for the public sector data systems their entity keeps. Unlike in respect of Part 3, Information Privacy, the Bill does not provide for the Commissioner to have any direct authority over an entity’s contracted service providers (CSPs). Rather, the relevant public sector body Head must ensure that the entity’s CSPs comply with the applicable standards and plans. Plans based on the risk assessments are to be completed within two years after the publication of the standards. These plans must be provided to the Commissioner, and public sector body Heads must ensure that their plans are reviewed if circumstances change, or otherwise every two years.

What about law enforcement data security?

Together with the PDP Bill, the Crime Statistics Bill 2014 (CS Bill) was also passed by the Upper House this week. The security of law enforcement data is separately provided for in Part 5 of the Bill, which applies to Victoria Police and the Chief Statistician, together with the Chief Statistician’s employees or consultants, under section 6 of the CS Bill.  The Bill provides for the Commissioner to issue law enforcement data security standards (law enforcement data security standards), and it is intended that there be no gap in the application of the existing 2007 law enforcement data standards under the CLEDS Act and those provided for under the Bill. To the extent that there is any inconsistency between a law enforcement data security standard and a standard, the law enforcement data security standard prevails.

Part 6 of the Bill gives the Commissioner significant powers to require access to data, data systems and crime statistics data and to take copies or extracts of that data. If, in the course of conducting a compliance audit in respect of Parts 4 and 5 of the Bill, the Commissioner considers that any matter requires urgent attention, it may be referred to appropriate persons or bodies including the Ombudsman, the Director of Public Prosecutions and the Independent Broad-based Anti-corruption Commission (IBAC). The Commissioner may in any case disclose any information obtained in connection with the Commissioner’s functions to the IBAC if the information is relevant to functions or duties of the IBAC.

If you are in the Victorian Government and would like assistance to ensure that your agency’s privacy practices comply with the IP Act, or for advice concerning the imminent new Act, call:

Carolyn Doyle
 Managing Principal Solicitor
 carolyn.doyle@vgso.vic.gov.au
 9947 1403

Deidre Missingham
 Senior Solicitor
 deidre.missingham@vgso.vic.gov.au
 8684 0483

Privacy and Data Protection Bill 2014 Workshops for the Victorian  Public Sector 

VGSO has held a number of small-group workshops to assist clients to understand the scope of their obligations under the Bill.

Places are still available for the final workshop on Friday 29 August 2014 via www.vgso.vic.gov.au .

To request information about customised training or join the waitlist for future workshops please contact Carrie Anderson 9947 1446 or carrie.anderson@vgso.vic.gov.au.

Privacy Bill Goes Public

This week Victoria’s much anticipated Privacy and Data Protection Bill 2014 (PDP Bill) was introduced into Parliament, and second-read yesterday by the Attorney-General. The Bill reflects the Government’s 2012 commitment to strengthening the protection of personal and other information handled by Victorian government agencies.

This Bill repeals the Information Privacy Act 2000 (IP Act) and the Commissioner for Law Enforcement Data Security Act 1995 (CLEDS Act), and creates a new office of the Commissioner for Privacy and Data Protection (Commissioner) with broad powers of oversight and enforcement. The Bill does not affect the existing legislative arrangements whereby Commonwealth agencies and some private sector entities and individuals are subject to the Privacy Act 1988 (Cth) (Commonwealth Privacy Act).  Victoria’s health privacy regime under the Health Records Act 2001 and related legislation is also unaffected by the Bill.

Nevertheless, if the Bill is passed and assented to, it will usher in a new era with new emphases not only for privacy practitioners but also for public sector body Heads, who will need to pay close attention to their protective data security obligations.

Information Privacy – what’s different, what stays the same?

Provisions of the IP Act that are taken to be re-enacted include:

• Schedule 1, the Information Privacy Principles (IPPs);
• the requirement that public sector organisations generally must not do an act or engage in a practice that contravenes an IPP in respect of personal information they collect, hold, manage, use, disclose or transfer;
• the codes of practice provisions; and
• the information privacy complaints provisions.

A significant departure from the IP Act is the new provision (clause 20(3)) whereby an organisation is not required to comply with the IPPs in relation to an act or practice that is permitted under:

1. a public interest determination (PID), or a temporary public interest determination (TPID); or
2. an approved information usage arrangement (IUA).

Similarly, under clause 16, for the purposes of this Bill, an act done or a practice engaged in by an organisation interferes with an individual’s privacy only if it is contrary to or inconsistent with an IPP or applicable code of practice, or a PID or TPID, or an IUA, or a current certificate issued pursuant to clause 55.

PIDs and TPIDs

The Bill permits the Commissioner to make a written determination that where an act or practice of an organisation may or does breach:

• an IPP (other than IPP 4, Data Security, or IPP 6, Access and Correction); or
• an approved code of practice,

it will not be regarded as an interference with privacy while the relevant determination is in force. TPIDs may be of up to 12 months’ duration.

Before making such a determination, the Commissioner must be satisfied that the public interest in the organisation doing the act or engaging in the practice substantially outweighs the public interest in its adhering to the relevant IPP or IPPs or applicable approved code of practice. This test is substantially the same as in s 72 of the Commonwealth Privacy Act. PIDs and TPIDs can be disallowed by either House of Parliament.

IUAs 

An IUA is an arrangement between permitted parties including organisations, agencies of the Commonwealth, another State or Territory, and private sector bodies that:

1. sets out acts or practices for handling personal information to be undertaken for one or more public purposes as defined; and
2. in respect of any of those acts or practices,
   i. modifies the application of or provides that the practice does not need to comply with an IPP (other than IPPs 4 and 6), or an approved code of practice; and/or
   ii. permits handling of personal information for the purposes of an ‘information handling provision’ – that is, a provision of an Act that permits handling of personal information as ‘authorised or required by law’ or by or under an Act, or in circumstances or for purposes required by law or by or under an Act.

The Bill details the information to be supplied to the Commissioner when an application for approval is submitted by the organisation that is the IUA’s designated ‘lead party’. Before an IUA may be approved by the relevant Minister or Ministers, the Commissioner must prepare a report and certify that the proposed IUA meets the same public interest test as for PIDs and TPIDs. The Commissioner may issue compliance notices in respect of IUAs, and they may be amended or revoked on specified grounds.

Certification

One additional new mechanism provides for the Commissioner to certify that a specified act or practice of an organisation is consistent with an IPP, an approved code of practice or an information handling provision. This should assist organisations where opinions may differ or there may otherwise be doubt as to the legality of a proposed action. The Commissioner’s certification may be reviewed by VCAT, but organisations who act in good faith on the basis of a certification will be protected while it is in force.

Protective data security

The protective data security provisions of Part 4 of the Bill apply, with specified exceptions, to public sector agencies, special bodies within the meaning of section 6 of the Public Administration Act 2004 and any bodies to which the Governor in Council declares them applicable.

‘Public sector data’ as defined is to be protected by a regime consisting of:

• the Victorian protective data security framework, developed by the Commissioner;
• protective data security standards (standards) (which may be either general or customised), to be issued by the Commissioner following approval by the Attorney-General and the Minister for Technology; and
• protective data security plans (plans) based on the security risk profile assessments (risk assessments) to be undertaken by relevant agencies themselves.

A public sector body Head is accountable under the Bill for compliance with protective data security standards in respect of the public sector data their entity collects, holds, manages, uses, discloses and transfers, and for the public sector data systems their entity keeps. Unlike in respect of Part 3, Information Privacy, the Bill does not provide for the Commissioner to have any direct authority over an entity’s contracted service providers (CSPs). Rather, the relevant public sector body Head must ensure that the entity’s CSPs comply with the applicable standards and plans. Plans based on the risk assessments are to be completed within two years after the publication of the standards. These plans must be provided to the Commissioner, and public sector body Heads must ensure that their plans are reviewed if circumstances change, or otherwise every two years.

What about law enforcement data security?

Together with the Bill, the Crime Statistics Bill 2014 has also been introduced in to Parliament. The security of law enforcement data is separately provided for in Part 5 of the Bill, which applies to Victoria Police and the Chief Statistician, together with the Chief Statistician’s employees or consultants, under section 6 of the Crime Statistics Bill.  The Bill provides for the Commissioner to issue law enforcement data security standards (law enforcement data security standards), and it is intended that there be no gap in the application of the existing 2007 law enforcement data standards under the CLEDS Act and those provided for under the Bill. To the extent that there is any inconsistency between a law enforcement data security standard and a standard, the law enforcement data security standard prevails.

Part 6 of the Bill gives the Commissioner significant powers to require access to data, data systems and crime statistics data and to take copies or extracts of that data. If, in the course of conducting a compliance audit in respect of Parts 4 and 5 of the Bill, the Commissioner considers that any matter requires urgent attention, it may be referred to appropriate persons or bodies including the Ombudsman, the Director of Public Prosecutions and the Independent Broad-based Anti-corruption Commission (IBAC). The Commissioner may in any case disclose any information obtained in connection with the Commissioner’s functions to the IBAC if the information is relevant to functions or duties of the IBAC.

This Bill is yet to be debated in Parliament, and is sure to attract considerable public attention and comment over the coming weeks. Meanwhile, if you are in the Victorian Government and would like assistance to ensure that your agency’s privacy practices comply with the IP Act, call:

Carolyn Doyle
Managing Principal Solicitor
carolyn.doyle@vgso.vic.gov.au
9947 1403

Deidre Missingham
Senior Solicitor
deidre.missingham@vgso.vic.gov.au

 Forthcoming seminar for the Victorian Public Sector 

VGSO is delighted to announce that the speaker at our seminar on 22 July will be David Watts, who is currently the Acting Privacy Commissioner and CLEDS Commissioner. Also presenting will be Deidre Missingham who, on secondment from the VGSO to the Department of Justice, was the Senior Legal Policy Officer and principal instructor in relation to the new Bill.

To reserve a seat at this seminar, please contact VGSO via marketing.team@vgso.vic.gov.au.

 Privacy and Data Protection Bill 2014 Workshops for the Victorian  Public Sector 

VGSO is holding small-group workshops on the following dates to assist clients to understand the scope of their obligations under this new Bill.
• Friday 8 August
• Monday 11 August
• Friday 15 August
• Tuesday 19 August

To register your interest in these workshops please contact Carrie Anderson 9947 1446 or carrie.anderson@vgso.vic.gov.au.