Privacy Bill Goes Public

This week Victoria’s much anticipated Privacy and Data Protection Bill 2014 (PDP Bill) was introduced into Parliament, and second-read yesterday by the Attorney-General. The Bill reflects the Government’s 2012 commitment to strengthening the protection of personal and other information handled by Victorian government agencies.

This Bill repeals the Information Privacy Act 2000 (IP Act) and the Commissioner for Law Enforcement Data Security Act 1995 (CLEDS Act), and creates a new office of the Commissioner for Privacy and Data Protection (Commissioner) with broad powers of oversight and enforcement. The Bill does not affect the existing legislative arrangements whereby Commonwealth agencies and some private sector entities and individuals are subject to the Privacy Act 1988 (Cth) (Commonwealth Privacy Act).  Victoria’s health privacy regime under the Health Records Act 2001 and related legislation is also unaffected by the Bill.

Nevertheless, if the Bill is passed and assented to, it will usher in a new era with new emphases not only for privacy practitioners but also for public sector body Heads, who will need to pay close attention to their protective data security obligations.

Information Privacy – what’s different, what stays the same?

Provisions of the IP Act that are taken to be re-enacted include:

• Schedule 1, the Information Privacy Principles (IPPs);
• the requirement that public sector organisations generally must not do an act or engage in a practice that contravenes an IPP in respect of personal information they collect, hold, manage, use, disclose or transfer;
• the codes of practice provisions; and
• the information privacy complaints provisions.

A significant departure from the IP Act is the new provision (clause 20(3)) whereby an organisation is not required to comply with the IPPs in relation to an act or practice that is permitted under:

1. a public interest determination (PID), or a temporary public interest determination (TPID); or
2. an approved information usage arrangement (IUA).

Similarly, under clause 16, for the purposes of this Bill, an act done or a practice engaged in by an organisation interferes with an individual’s privacy only if it is contrary to or inconsistent with an IPP or applicable code of practice, or a PID or TPID, or an IUA, or a current certificate issued pursuant to clause 55.

PIDs and TPIDs

The Bill permits the Commissioner to make a written determination that where an act or practice of an organisation may or does breach:

• an IPP (other than IPP 4, Data Security, or IPP 6, Access and Correction); or
• an approved code of practice,

it will not be regarded as an interference with privacy while the relevant determination is in force. TPIDs may be of up to 12 months’ duration.

Before making such a determination, the Commissioner must be satisfied that the public interest in the organisation doing the act or engaging in the practice substantially outweighs the public interest in its adhering to the relevant IPP or IPPs or applicable approved code of practice. This test is substantially the same as in s 72 of the Commonwealth Privacy Act. PIDs and TPIDs can be disallowed by either House of Parliament.

IUAs 

An IUA is an arrangement between permitted parties including organisations, agencies of the Commonwealth, another State or Territory, and private sector bodies that:

1. sets out acts or practices for handling personal information to be undertaken for one or more public purposes as defined; and
2. in respect of any of those acts or practices,
   i. modifies the application of or provides that the practice does not need to comply with an IPP (other than IPPs 4 and 6), or an approved code of practice; and/or
   ii. permits handling of personal information for the purposes of an ‘information handling provision’ – that is, a provision of an Act that permits handling of personal information as ‘authorised or required by law’ or by or under an Act, or in circumstances or for purposes required by law or by or under an Act.

The Bill details the information to be supplied to the Commissioner when an application for approval is submitted by the organisation that is the IUA’s designated ‘lead party’. Before an IUA may be approved by the relevant Minister or Ministers, the Commissioner must prepare a report and certify that the proposed IUA meets the same public interest test as for PIDs and TPIDs. The Commissioner may issue compliance notices in respect of IUAs, and they may be amended or revoked on specified grounds.

Certification

One additional new mechanism provides for the Commissioner to certify that a specified act or practice of an organisation is consistent with an IPP, an approved code of practice or an information handling provision. This should assist organisations where opinions may differ or there may otherwise be doubt as to the legality of a proposed action. The Commissioner’s certification may be reviewed by VCAT, but organisations who act in good faith on the basis of a certification will be protected while it is in force.

Protective data security

The protective data security provisions of Part 4 of the Bill apply, with specified exceptions, to public sector agencies, special bodies within the meaning of section 6 of the Public Administration Act 2004 and any bodies to which the Governor in Council declares them applicable.

‘Public sector data’ as defined is to be protected by a regime consisting of:

• the Victorian protective data security framework, developed by the Commissioner;
• protective data security standards (standards) (which may be either general or customised), to be issued by the Commissioner following approval by the Attorney-General and the Minister for Technology; and
• protective data security plans (plans) based on the security risk profile assessments (risk assessments) to be undertaken by relevant agencies themselves.

A public sector body Head is accountable under the Bill for compliance with protective data security standards in respect of the public sector data their entity collects, holds, manages, uses, discloses and transfers, and for the public sector data systems their entity keeps. Unlike in respect of Part 3, Information Privacy, the Bill does not provide for the Commissioner to have any direct authority over an entity’s contracted service providers (CSPs). Rather, the relevant public sector body Head must ensure that the entity’s CSPs comply with the applicable standards and plans. Plans based on the risk assessments are to be completed within two years after the publication of the standards. These plans must be provided to the Commissioner, and public sector body Heads must ensure that their plans are reviewed if circumstances change, or otherwise every two years.

What about law enforcement data security?

Together with the Bill, the Crime Statistics Bill 2014 has also been introduced in to Parliament. The security of law enforcement data is separately provided for in Part 5 of the Bill, which applies to Victoria Police and the Chief Statistician, together with the Chief Statistician’s employees or consultants, under section 6 of the Crime Statistics Bill.  The Bill provides for the Commissioner to issue law enforcement data security standards (law enforcement data security standards), and it is intended that there be no gap in the application of the existing 2007 law enforcement data standards under the CLEDS Act and those provided for under the Bill. To the extent that there is any inconsistency between a law enforcement data security standard and a standard, the law enforcement data security standard prevails.

Part 6 of the Bill gives the Commissioner significant powers to require access to data, data systems and crime statistics data and to take copies or extracts of that data. If, in the course of conducting a compliance audit in respect of Parts 4 and 5 of the Bill, the Commissioner considers that any matter requires urgent attention, it may be referred to appropriate persons or bodies including the Ombudsman, the Director of Public Prosecutions and the Independent Broad-based Anti-corruption Commission (IBAC). The Commissioner may in any case disclose any information obtained in connection with the Commissioner’s functions to the IBAC if the information is relevant to functions or duties of the IBAC.

This Bill is yet to be debated in Parliament, and is sure to attract considerable public attention and comment over the coming weeks. Meanwhile, if you are in the Victorian Government and would like assistance to ensure that your agency’s privacy practices comply with the IP Act, call:

Carolyn Doyle
Managing Principal Solicitor
carolyn.doyle@vgso.vic.gov.au
9947 1403

Deidre Missingham
Senior Solicitor
deidre.missingham@vgso.vic.gov.au

 Forthcoming seminar for the Victorian Public Sector 

VGSO is delighted to announce that the speaker at our seminar on 22 July will be David Watts, who is currently the Acting Privacy Commissioner and CLEDS Commissioner. Also presenting will be Deidre Missingham who, on secondment from the VGSO to the Department of Justice, was the Senior Legal Policy Officer and principal instructor in relation to the new Bill.

To reserve a seat at this seminar, please contact VGSO via marketing.team@vgso.vic.gov.au.

 Privacy and Data Protection Bill 2014 Workshops for the Victorian  Public Sector 

VGSO is holding small-group workshops on the following dates to assist clients to understand the scope of their obligations under this new Bill.
• Friday 8 August
• Monday 11 August
• Friday 15 August
• Tuesday 19 August

To register your interest in these workshops please contact Carrie Anderson 9947 1446 or carrie.anderson@vgso.vic.gov.au.

9 things you should know about the draft VPS Intellectual Property Guidelines

The Intellectual Property Guidelines for the Victorian Public Sector have been published as a working draft.

The Guidelines will support the Whole of Victorian Government Intellectual Property Policy Intent and Principles (IP Policy), created in August 2012. The IP Policy sets out broad principles on the State's ownership and management of its intellectual property and its use of third party intellectual property. The Guidelines, provide guidance on the specific steps government agencies should take to comply with the IP Policy.

The IP Policy and the Guidelines apply to all departments and public bodies of the State. ‘Public body’ includes State business corporations and statutory authorities.

The draft Guidelines are a 'must read' for departments and agencies, who will need to implement the processes outlined. They also provide links to useful resources and an indication of when specific legal advice may be required.

Here are 9 things you should know about the Guidelines:

1. Many requirements of the Guidelines will only apply to 'significant' IP - for example, where the IP is particularly valuable or important to the operations of the agency.
2. The Guidelines will require agencies to manage their own IP and be responsible for implementing the IP Policy. (This is different to the previous position where requests to make use of State owned copyright material required the Attorney General’s approval.) Agencies will also need to actively foster compliance and awareness of the IP Policy and Guidelines.
3. The Guidelines acknowledge that agencies may have specific IP provisions in their establishing legislation. For example, the Transport Integration Act 2010 (Vic) empowers the Secretary of the Department of Transport to acquire, hold, licence, exploit or dispose of IP. Agencies need to consider the interaction between the IP Policy and these provisions.
4. The Guidelines set out specific recording and reporting requirements
1. Maintaining an intellectual property register recording information about any significant IP of the agency, including the creator, its identifying details, any IP registrations, the start and end date of the IP protection, relevant contracts and any important ownership and licensing details.
2. Reporting IP infringements to DTF, as the responsible agency. (The Guidelines contain materials on circumstances where it will be appropriate for an agency to enforce State IP rights, and a substantial section highlighting law relevant to use by the State of third party IP).
5. The Guidelines set out how to address IP in government contracts. Not sure where to start? For IP under procurement contracts, Chapter 5 of the Guidelines provides for a default position whereby:
1. each party retains ownership of its background IP;
2. the contractor grants the agency a licence over its background IP and third party IP to the extent needed for the agency to enjoy the full benefit of the agreement; and
3. the contractor owns the project IP developed but grants the agency a licence over the project IP to the extent necessary to achieve the procurement purposes.
6. The Guidelines encourage agencies to develop template procurement contracts to reflect the IP Policy. DTF is currently working with the Victorian Government Purchasing Board to ensure consistency between the IP Policy and the VGPB requirements. (Chapter 6 deals with these issues for IP under funding and grant agreements.)
7. There is a substantial section on licensing and public release of materials where the State owns the relevant IP. The preferred form of licence for State copyright material is a Creative Commons licence (Australian version). Specific guidance is provided on the selection and use of the various types of Creative Commons licences for new and existing materials..
8. The Guidelines address the commercial dimensions of IP where there has been little guidance in the past, including:
1. the factors to consider to value IP;
2. when a State agency can commercialise its IP through licence or sale (the IP Policy has imposed significant restrictions on commercialisation, including requirements for authorisations, and the application of the Cost Recovery Guidelines);
3. when a State agency should reassign or dispose of its IP and how to do this in an open, accountable and competitive manner.
9. There is a full chapter on moral rights, and practical guidance as to when the State should seek moral rights consents from its employees and contractors, together with a template consent form.

For more information about the IP Policy or the draft Guidelines, please contact:
Isabel Parsons
Special Counsel
t 9947 1405
isabel.parsons@vgso.vic.gov.au