VCAT confirms scope of data security obligations when serving documents

A recent VCAT decision found that privacy obligations with respect to court or tribunal documents that are served on a party cease upon valid service, even if the recipient refuses to accept service and abandons the documents.

On 1 December 2017, police officers attended Mr Zeqaj's workplace to serve him with documents on behalf of the Australian Taxation Office.  When Mr Zeqaj refused to accept service, the police officers placed the documents down in his presence and left.  Mr Zeqaj alleged that by serving him at his workplace and by leaving the documents unattended, Victoria Police contravened Information Privacy Principle (IPP) 4.1, which provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

VCAT found that Victoria Police had not contravened IPP 4.1 because the disclosure was authorised.  Victoria Police had collected the personal information for the purpose of serving it on Mr Zeqaj, and had effected service by identifying Mr Zeqaj and giving him 'ready and unimpeded means of exercising physical custody or control' over the documents.  Once the documents had been served, Victoria Police no longer 'held' the information within the meaning of IPP 4.1 and any unauthorised access from that point was a result of Mr Zeqaj's decision not to take possession of the documents.

VCAT also found that it did not have jurisdiction to consider Mr Zeqaj's claim that his rights under the Charter of Human Rights and Responsibilities Act 2006 had been breached because the claim had not been included in the original complaint to the Information Commissioner, or in the referral from the Commissioner to VCAT.

Contact us: 

Louise McNeil
Senior Solicitor
louise.mcneil@vgso.vic.gov.au

Catherine Roberts
Lead Counsel
catherine.roberts@vgso.vic.gov.au

Case: Zeqaj v Victoria Police (Human Rights) [2019] VCAT 1641

The 2018-2019 Victorian Budget: Does your project involve Information Sharing?

The Victorian Budget 2018-19 included allocation of funds to a wide range of areas where government needs to balance privacy concerns with the benefits of sharing information.  Common areas where this arise are in family violence and in the health, disability, justice and education sectors.

A key announcement in the Budget was the allocation of $13.4 million (and $30 million over the forward estimates) to support a new whole of Government initiative known as the 'Child Information Sharing Reforms'.  This initiative is underpinned by the Children Legislation Amendment (Information Sharing) Act 2018 which came into force on 10 April 2018.  The reforms seek to protect vulnerable children by simplifying and improving information sharing arrangements between specified government agencies and service providers.

Knowing when and how to lawfully disclose information in different contexts is vital.  However, an overly legalistic or unbalanced approach can lead to an unwillingness to share information, which may result in negative outcomes for Victorians, particularly for vulnerable families experiencing family violence who rely on a number of integrated support services, built on effective information sharing. 

A key objective of the Child Information Sharing Reforms is to promote child wellbeing and safety by enabling information sharing.  Budget funding will target training for workers to understand when it is appropriate to share information, to improve early risk identification and intervention and increase collaboration for the wellbeing and safety of children. 

VGSO has extensive experience in advising on information sharing in a wide range of different contexts.  Please call one of our experts in this area if you require assistance in understanding how to discharge your obligations when sharing information: 

Julie Freeman

Assistant Victorian Government Solicitor 

9947 1404

Rebecca Radford

Managing Principal Solicitor 

9947 1403

Coming soon! Cyber security audits announced by VAGO

The Victorian Auditor-General’s Office (VAGO) has this month announced plans to conduct audits on departments and agencies to assess their implementation of the Victorian Protective Data Security Framework (VPDSF) and Victorian Protective Data Security Standards (VPDSS), as well as cyber security strategy.

The audits, to run in 2018-19, will ascertain whether the VPDSF and VPDSS have been effective in improving cyber resilience in government to determine whether departments and agencies can adequately prevent, respond to and recover from cyber security attacks.

The Commissioner for Privacy and Data Protection released the VPDSF and VPDSS in mid-2016 to provide direction for Victorian public sector agencies on their data security obligations.  Department heads must prepare Protective Data Security Plans to address the VPDSS and submit the plan to the Commissioner.

Whilst VAGO will be undertaking performance audits for the purpose of ascertaining the effectiveness of the VPDSF and VPDSS in improving government's cyber resilience, the Commissioner may also conduct monitoring and assurance activities, including audits, to ascertain whether departments and agencies are complying with data security standards.

If you would like to know more, contact:

Rebecca Radford
9947 1403

Snezana Stojanoska
9947 1412

James Stephens
 9947 1422

Don't buy a data breach - Privacy and data security when procuring goods and services

At our recent monthly seminar 'Information Sharing and Data Protection - Know your Value', we discussed the importance of monitoring suppliers to mitigate privacy and data breaches.  This data security theme was continued during the Commissioner for Privacy and Data Protection's recent Privacy Awareness Week.

Remember these key messages and tips to help minimise the risk of your procurement experiencing a data or privacy breach:

Value your Data

From the outset, think about the value of the data that your supplier will collect or have access to during the arrangement.  This will enable you to determine the appropriate information handling and privacy requirements you'll need.

Choose the Right Supplier 

Ensure that your information handling and privacy requirements are part of your sourcing plan and clearly set out in your market facing documents.  Award a contract to a supplier who can demonstrate a good track record of understanding and implementing privacy and data security.

One size does not fit all  

Your risk management strategy needs to be proportionate and tailored to the size and activity of your procurement.  Data heavy supply arrangements may need to consider additional protections, including how information will be managed when a supplier transitions out.

Monitor your supplier's performance against the contract 

The words in the agreement are important, but ongoing contract management is necessary for early detection of possible data and privacy breaches.

If you'd like assistance on managing your suppliers to meet your information handling obligations, please contact:

Rebecca Radford
9947 1403

James Stephens
99471422

Snezana Stojanoska
9947 1412

Victorian Commissioner for Privacy and Data Protection Report - Learnings and Hurdles

A recent Commissioner for Privacy and Data Protection (CPDP) report on information governance at the Department of Health and Human Services (DHHS) provides valuable guidance to assist government agencies to comply with the Privacy and Data Protection Act 2014 (Act) and the Victorian Protective Data Security Standards, in particular.  Below we look at key learnings that other agencies can take on board as part of their own compliance preparation.

A high priority: manage your contracted service providers

Department and agency heads will be responsible for ensuring that both their own organisations and their Contracted Service Providers (CSP) comply with the Standards.  Contract terms making CSPs liable for compliance with the Information Privacy Principles won't remove the risk of privacy and data security incidents occurring.

The finding in the Report showed that while agencies must ensure their agreements with CSPs are consistent and reflect up to date information governance requirements, there needs to be appropriate and effective resourcing, due diligence and monitoring of CSP compliance too.  Without appropriate monitoring, there is a greater risk of incidents which could mean that the agency may not have met its obligations under the Act.

Achieving compliance with the Victorian Protective Data Security Standards

The Report recognises that not all Victorian Public Sector organisations may be fully compliant with the Standards by July 2018.  Showing that you are on track is crucial though, and submitting a security assessment and plan to the CPDP is mandatory.  Further, the CPDP recognises that some agencies may already comply with much of the Standards by having implemented the Information Security Management Framework (2009) and through annual reporting to the Victorian Auditor-General's Office.  The steps required to achieve compliance will not necessarily be the same for all agencies or wholly new or particularly onerous.

Other factors to consider in your compliance framework

• Are your information policies and procedures consistent and do they reference each other?  Are your staff aware of where to find them, and are they regularly checked and updated?
• Does your organisation have up to date privacy and data security incident management procedures? Does your organisation need defined criteria of when to notify others and escalate incidents?
• Have you developed scenario-based privacy and data-security training for CSPs and your frontline staff based on their day-to-day roles?
• Do you need an information asset register?  This can identify the information you handle, its value, risks and regulatory requirements, and how to use and manage it.

If you have any queries regarding privacy law in Victoria, please call:

Rebecca Radford
Managing Principal Solicitor
9947 1403

Molina Asthana
Principal Solicitor
9947 1420

James Stephens
Principal Solicitor
9947 1422

Personal Information and Metadata: Is the Telstra case really the most important Australian Privacy case to date? We're not so sure.

The Full Federal Court has taken a narrower view of 'personal information' under Commonwealth privacy law than the view preferred by the Australian Privacy Commissioner. However, the decision does not necessarily narrow the statutory definition.

The case related to a journalist's request to Telstra for metadata regarding his mobile phone. The Full Court disagreed with the Commissioner's appeal and confirmed that personal information must be 'about' an individual, and not only information from which the individual's identity could be reasonably ascertained.

The Court expressed doubts about the usefulness of the orders that the Commissioner wanted, and noted that applications by non-parties to make submissions relied on overseas laws with different wording, and appeared to raise issues that went beyond the point being appealed.

While a high level of attention has been given to the case, some commentary has not been substantiated in the decision itself. The case is likely to have limited impact on how the Victorian definition of 'personal information' is interpreted, and might have limited impact more generally because the decision itself is a narrow one. The Full Court did not decide whether the 'metadata' requested in that case was personal information, or rule on hypothetical examples or criteria to assess whether it was. Rather, it confirmed an evaluation will still be necessary in each case based on the facts and circumstances. This includes whether an item of information might be 'about' a person when considered along with other information. Also, the definition of 'personal information' in Commonwealth privacy law has changed since the time the decision relates to.

If you'd like to discuss any of the issues raised by this decision please call James Stephens or Snezana Stojanoska.

James Stephens
Principal Solicitor
03 9947 1422

Snezana Stojanoska
Solicitor
03 9947 1412

For their eyes only? When can an employer access and use information on an employee's Facebook page?

Supreme Court confirms public sector employer has privacy obligations with respect to personal information on an employee's Facebook page but may use that information where there's a legitimate reason to do so (such as reasonably conducting a legitimate employment misconduct investigation).

A recent decision of the Supreme Court of Victoria (Jurecek v Director, Transport Safety Victoria [2016] VSC 285) provides guidance about when a public sector employer may access an employee's social media publications without breaching privacy laws.
The proceeding was brought under the Information Privacy Act 2000 (the Act), but the Court's findings are relevant to the Privacy and Data Protection Act 2014  because the Information Privacy Principles (IPPs) under both Acts remain the same in all material respects.

The Facts

The employee engaged in various Facebook activity, including posts and messages that were abusive and critical of her employer and other employees.  The employee operated her Facebook page under a pseudonym with privacy settings, although these did not fully restrict access to the Facebook page.
The employer was made aware of the activity and initiated a disciplinary investigation.  For the purposes of that investigation the employer accessed the employee's Facebook page, initially without her knowledge, and took screenshots of the content.

The employee was disciplined following findings of misconduct.

The employee lodged a complaint with the Privacy Commissioner, alleging that the employer had breached the IPPs by accessing her Facebook page.  The Privacy Commissioner dismissed the complaint and the matter was referred to the Victorian Civil and Administrative Tribunal (VCAT).  VCAT also dismissed the complaint and the employee appealed VCAT's decision to the Supreme Court.

Social media posts may be 'personal information' for the IPPs

The employer contended that, because the employee’s Facebook posts were accessible by anyone, they possessed the character of a 'generally available publication' and were therefore exempt from the operation of the IPPs under the Act.

The Court disagreed, taking the view that the mere publication of information on Facebook or the Internet does not necessarily make it a ‘generally available publication’.
Whether such information is a 'generally available publication' will depend on the facts and circumstances as a whole, the nature of the information, the prominence of the site, the likelihood of the access and the steps needed to access the site.

In this case, the Court found that the employee's Facebook posts were not 'generally available' and, because the posts expressed her opinion, they satisfied the definition of ‘personal information’ for the purposes of the Act.  Accordingly, the IPPs applied and the Court needed to determine whether they had been breached.

Employers may access an employee's social media posts if reasonably necessary for an investigation

The employee claimed that the employer was not lawfully entitled to access and collect her personal information (ie her Facebook posts) because such collection was not 'necessary for one or more of the organisation's functions or activities'.

The Court agreed that the employer could only access and collect the employee's personal information if it was necessary for the organisation's functions or activities.  However, the Court found that the disciplinary investigation was a function of the employer’s organisation and that accessing the employee’s Facebook account for that purpose was legitimate and necessary and not unlawful, unfair or unnecessarily intrusive.

Employers need to inform employees when they collect personal information from social media, but not necessarily immediately

The employer delayed notifying the employee about its collection of her personal information.  The employee claimed that this delay constituted a breach of the IPP notification obligations.
The Court rejected that claim.  It held that the IPPs do not impose an obligation of immediate notification but rather an obligation to take such steps as early as practically possible.  In this case, it was reasonable for the employer not to notify the employee earlier because it could have jeopardised the integrity of the disciplinary investigation.

Key implications

• Public sector employers may collect personal information from an employee’s social media page, but only when it is necessary for one or more of the organisation’s functions.
• If access to an employee's social media page is reasonably necessary for a disciplinary investigation, accessing that page and collecting relevant information is unlikely to breach the IPPs.
• If an employee's personal information is collected, employers must take steps to notify the employee as early as is reasonable in the circumstances.  Employers do not need to notify an employee immediately if doing so would jeopardise a disciplinary investigation or other legitimate purpose.

As the Court noted, 'matters of fact and degree are involved' and it is necessary to balance, 'in a reasonably proportionate way', 'what is at stake for the individual' with the 'nature and importance of any legitimate purpose' and 'the extent of the interference'.  This means that each situation needs to be considered on its merits.

To discuss workplace relations further contact:

Rosemary Robins
Solicitor
Workplace Relations & Occupational Safety
9032 3036

Jacqueline Parker
Assistant Victorian Government Solicitor,
Workplace Relations & Occupational Safety

9032 3011

Shining a light on innovation…

Everyone is talking about innovation - the Commonwealth Government wants us to be an 'innovation nation' and entrepreneurs like Elon Musk and Steve Jobs are the rock stars of our era.  Innovation is often associated with technology, investment banking and start ups.  Like all stereotypes, it tells only part of the story.  Some of the most interesting innovation is happening in our backyard - the Victorian public sector.

In addition to encouraging innovation in the private sector, the Victorian Government is encouraging the public sector to consider how we can perform our functions and deliver public services better. What is better depends on what you are trying to achieve - it might mean 'better', in the sense that a citizen gets the public service they need more quickly and easily; it might mean 'better', in the sense of more efficient use of public money; or maybe it means 'better' in the sense of a new function being performed that was previously thought to be impossible or outside of the capacity of the public sector.

The Victorian Government is supporting the public sector to act on their innovative ideas through:

• The Public Sector Innovation Fund provides funding support for pilot projects that test or prove new knowledge, technologies, processes or practices to deliver public value and that can be scaled or replicated across government.  Grants of $50,000 to $400,000 are available.
• At the Australian Information Industry Association iAwards, the Premier will award the inaugural iAward for Public Sector Innovation.The winner will be revealed on 1 September 2016.

Examples of projects already funded by the Public Sector Innovation Fund include:

• Code for Victoria Challenge, in which three teams of Code for Australia Fellows will be placed within government departments for six months . The Fellows will create new tools or streamline processes that will make government information more open and accessible online, and improve the delivery of government services.   The first round of the Code for Victoria Innovation Challenge recipients have just been announced this week. 
• The 2016 Budget Hack brought together the public sector, the tech community and industry leaders to find new and better ways to visualise, use and leverage data from the State Budget.  The winning entry, Bling My Suburbs, allows users to search budget information by suburb.  The other entries in the top three included Budget Pie, which allows a user to see how much funding was allocated to the issues affecting them (I.e. How much of the pie do my issues get?!), and Ask Budget, which uses a word cloud to identify how frequently an issue was mentioned and then summarises the mentions.

Many of the innovations are not complicated and nor did they require a Steve Jobs to think of them. Many of the examples of public sector innovation start with an idea or feedback from a citizen.  For example:

• Service Victoria is creating a 'one stop shop' for citizens looking for government information.  I tried it out on my sister, who is moving house this weekend. Through some simple questions asked of the website over dinner, my sister found the right places to change her driver's licence, find out who her new council and MPs are, when her hard rubbish collection is and how much her rates will be.  Service Victoria received additional funding in the recent State Budget, which will enable them to implement its objective of digitising more government transactions. 
• EPA AirWatch provides visual information on air quality on an hourly basis.  Using a Google map, the user can see the status of air quality at a monitoring station (Very Good, Good, Poor, etc) and then see a more detailed break down of the readings, including a health category.
• The online family violence intervention application form [] allows people to apply for intervention orders online, rather than by submitting a paper form.  The online format allows high risk cases to be flagged and brought to the attention of a magistrate earlier.  The form has been piloted at the Neighbourhood Justice Centre and, with a grant from the Public Sector Innovation Fund, will now be rolled out to the Magistrates' Court.

Innovation is also happening in government legal services.

• Government departments are exploring ways in which government can benefit from 'the new legal paradigm', in which technology and new business models are reducing legal costs and communication styles are changing.  Some departments have started the conversation with panel law firms.
• VGSO has appointed its first Innovation Counsel who has challenged and evangelised our lawyers to explore with government agencies how legal services can be delivered in ways that better meet the needs of government.

Everyone is talking innovation - and the Victorian public sector is doing innovation.  How is your agency innovating?  What do you think the public sector could do differently or better?  Tell us your thoughts in the comments.

To find out more please contact:

Katie Miller
Innovation Counsel

Andrew Suddick
General Counsel

Joanne Kummrow
Special Counsel

When can you leave the past behind you?

In recent weeks, attention has been drawn to a federal election candidate in Western Australia who did not declare two spent convictions to the political party that had endorsed him as its election candidate.  The candidate has now been disendorsed by the political party and lost the opportunity to run for a seat in the Federal Parliament.
Aside from heightened scrutiny of candidates at election time, this situation raises a simple question, that does not always have a clear answer: what is a 'spent' conviction?  And in what circumstances does a person need to disclose such information to a government agency, employer or a non-government organisation?

The short answer is (in part) it will generally depend on the nature of the offence, when and where the offence was committed, and to what organisation or who you are providing the information.

What may surprise is that there is no spent conviction legislation in Victoria or formal rules that govern the disclosure of criminal history information.  However, Part VIIC of the Crimes Act 1914 (Cth) sets out the Commonwealth Spent Conviction Scheme.  All other jurisdictions in Australia have spent conviction schemes.

Victoria

A person's history of any Victorian criminal convictions are held by and accessed through Victoria Police.

While Victoria has recently passed legislation which provides for the expungement of certain historical homosexual offences, it does not have a general statutory regime dealing with spent convictions.

However, Victoria Police has an Information Release Policy that it applies to requests for an individual's criminal conviction history.

The Information Release Policy states that, save for certain exceptions, no details of a prior offence will be disclosed if 10 years has passed since an adult was last found guilty of an offence.  A five year waiting period applies for persons under 18 years of age.  Therefore, details of a person's prior convictions will generally not be disclosed by Victoria Police in a criminal history check once the relevant waiting period has lapsed, and in the absence of further offending.  However, an individual's criminal history remains in the records of Victoria Police.  As such, despite the Information Release Policy, Victoria Police may exercise its discretion and disclose criminal history information depending on the purpose for which the information is sought and to whom it will be disclosed (e.g. where the information is required for employment with children, the elderly or disabled persons).

Commonwealth

While Victoria does not have spent conviction legislation, Victoria Police’s Information Release Policy operates, in practice, in a similar way to the Commonwealth’s Spent Conviction Scheme in Part VIIC of the Crimes Act 1914.

Section 85ZM of the Crimes Act 1914 provides that a person's conviction for an offence will be spent if:
(a)  the person has been granted a pardon for a reason other than the person was wrongly convicted of the offence; or
(b)  the person was not sentenced to imprisonment for the offence, or was not sentenced to imprisonment for the offence for more than 30 months, and the waiting period for the offence has ended .

The scope of a person's rights and obligations under the scheme varies depending on:

• whether the conviction is for a Commonwealth, state, territory or foreign offence
• who or what type of authority or organisation knows or is being told about a spent conviction (ie a government authority or a non-government organisation)
• where the person being told is located.

Generally, the Commonwealth scheme permits a person to not disclose a spent conviction:

• to any person located in a state or territory of Australia a spent conviction for a Commonwealth offence;
• to a Commonwealth authority a spent conviction for a state, territory offence or foreign offence.

The scheme also operates to allow a person to say under oath that they have not been charged with or convicted of an offence.

However, some categories and positions of employment are excluded from the Commonwealth scheme and require that a person must declare all convictions when applying for certain positions (eg a law enforcement agency has a right to information about a person's spent convictions for the purpose of making decisions in relation to prospective employees and contractors).

Other jurisdictions

In order to determine what a person’s rights are in relation to non-disclosure of a state or territory offence in Australian jurisdictions other than Victoria, the relevant spent conviction legislation will need to be consulted.

Take home points for individuals and government authorities

When determining whether they must disclose information about a prior conviction, individuals need to carefully consider where the offence was committed, the nature of the offence, how serious it was and what period of time has passed since it was committed.  While there can be a tension between a person disclosing their prior conviction history and their ability to put their past offending behind them and privacy, in some cases, disclosure of prior convictions will always be required, or at least expected, given the reason or purpose for which they are disclosing the information.  For individuals, ensure you read the fine print on what you are required or expected to disclose about your history of prior convictions and/or disciplinary offences to a government authority or non-government organisation.

Government authorities should ensure their application and consent forms clearly advise members of the public why and when they are required to disclose their prior conviction history, including what if any spent conviction scheme applies (including relevant exceptions) and how the information will be used.  Government authorities should also ensure they comply with privacy and data protection legislation when collecting information about a person's prior convictions.  This includes having privacy policies on how such information may be collected, used and disclosed.

Further information

- Victoria Police, National Police Certificates-Information Release Policy (2016)
- Part VIIC, Division 6 of the Crimes Act 1914 and Regulations 7A and 8 and Schedule 3 of the Crimes Regulations 1990
Sentencing Amendment (Historical Homosexual Convictions Expungement) Act 2014

Joanne Kummrow
Special Counsel

Michael Williams
Solicitor

Smile, you could be on 'body worn camera'

Take a closer look at all the gadgets and equipment worn by your local police officer and you might notice a small vest-mounted video camera attached to his or her lapel.  The camera,  called a body worn camera (BWC), records police interactions with the public and they may soon be worn by front line officers across the country.

According to news reports, BWCs are popular and have been trialled in every Australian state. For example:

• In the Northern Territory a reported 40 front line officers are officially trialling the equipment, and the Northern Territory Police Association estimates that three-quarters of their force have already bought and are using personal cameras;
• In Queensland, the Palaszczuk government reportedly has committed significant funds for BWCs;  
• In Victoria, Frankston police trialled 22 BWCs in 2013-2014, and Victoria Police is currently evaluating the project in anticipation of expansion.  

Even in the US, President Obama has reportedly asked Congress for $263 million over three years for 50,000 BWCs across the country following the tragic events in Ferguson, Missouri. It wouldn't be surprising to see the use of BWC's extend beyond policing to other areas of enforcement - perhaps parking inspectors, park rangers or fisheries officers keen to document their encounters on duty.

What are their key advantages?

1. Potential reduction in violence.

There is little data on the efficacy of BWCs, but what exists is positive.  The most widely cited study tracked their use by police in Rialto, California.  There, Cambridge researchers found that the use of BWCs decreased incidents of the use of force by 59% and complaints against police by 87%.

Although limited, the study suggests that people are less willing to resort to violence and that police behaviour improves when both parties know they are being recorded, and it also appears to deter members of the public from bringing spurious complaints.

2. Use as an evidentiary tool.

For investigating and prosecuting agencies, the BWC is no doubt appealing as an evidentiary tool.  Clear, verifiable footage captured by BWCs could reduce hours in court examining and verifying the veracity of oral accounts.  This in turn would reduce the public resources spent on each trial and enable courts to hear more cases in less time.

However, investigating agencies using or considering using BWC footage as evidence will need to take into account a range of factors including:

• Admissibility requirements. The admissibility of footage captured by body worn cameras will generally be governed by the principles which apply to the admissibility of evidence in general.  In Victoria these principles are set out in the Evidence Act 2008, which generally provides that evidence is admissible if it is relevant to the issues in dispute between the parties and either is not hearsay or, if hearsay, falls within an exception to the hearsay rule.  However, depending on the jurisdiction in which the dispute is brought, other provisions may be applicable: see for example s 98(1)(b) of the Victorian Civil and Administrative Tribunal Act 1998.
• Pre-trial disclosure requirements. Agencies will need to be equipped to hand over relevant footage, or at least have facilities for defence lawyers to view the footage in a secure setting.  Whether interested parties, including the media, can access footage when no prosecution is on foot will be another matter for determination.

Other legal considerations

Privacy 

To date, no specific Victorian legislation removes the statutory privacy obligations of police and other agencies using BWCs.  Agencies intending to use BWCs should therefore ensure that their use complies with legislation regulating the collection, use and disclosure of personal and health information, and in particular the Charter of Human Rights and Responsibilities Act 2006, the Privacy and Data Protection Act 2014 (PDP Act) and the Health Records Act 2001. Notably, the law enforcement exemption to the PDP Act, if applicable, would allow Victoria Police to collect, use, disclose and restrict access to information recorded by BWCs when reasonably necessary to carry out law enforcement functions. In some circumstances the Surveillance Devices Act 1999 may also apply. Amendments to privacy notices are likely to be required.

The law also restricts publication of personal and sensitive information including details of sexual assault, family violence victims and children involved in court proceedings, and information that could prejudice the fairness of any pending or in progress trials.  Agencies will need to be especially careful to identify and appropriately deal with personal information of third parties that is captured in background events and peripheral conversations.

Data retention

Information collected via BWCs must be securely stored and otherwise dealt with in accordance with legislation, including the Public Records Act 1973 and the PDP Act Parts 4 and 5 as applicable.  From a practical perspective, continuous recording could mean enormous data storage costs, so agencies will need to develop policies on when to turn the cameras on and off. For example, it has been reported that the practice in the Northern Territory is to turn on the BWC only when police exercise their powers or 'make customer contact or custody'.

For further information on these issues please contact members of our Policing Practice Group or Technology and Data Protection Practice Group:

Louise Jarrett
Managing Principal Solicitor
t 9247 6798
louise.jarrett@vgso.vic.gov.au

Grahame Best
Solicitor
t 9247 6425
grahame.best@vgso.vic.gov.au

Deidre Missingham
Senior Solicitor
t 8684 0483
deidre.missingham@vgso.vic.gov.au

To retain or not to retain, that is the question: PROV's new record keeping policy

 Interest in records management tends to be events driven.  Last year the release of the Privacy and Data Protection Act 2014 (PDP Act) heightened awareness of data security issues for government entities.  Then in the lead up to the 2014 State election, minds were turned to which documents should be retained, or not retained, as the case may be.  

But best-practice records management presents constant challenges in respect of both form and content of records.  Records now come in diverse forms - not only traditional paper documents and record-keeping or business systems, but also email and social media accounts and network drives, for example.  But their significance is premised on their nature and content, which in some cases can be difficult to assess. 

Additional guidance is now to hand.

New policy released

In February this year, Public Record Office Victoria (PROV) released an over-arching policy on record-keeping for the Victorian Government, pursuant to its responsibility for collecting and preserving records from all Victorian government and local governing bodies whose records are public records under the Public Records Act 1973 (PR Act).    

PROV's new 'Record Keeping Policy: Appraisal Statement for Public Records required as State Archives' (Appraisal Statement) sets out the key appraisal considerations for specifying and identifying those Victorian records that are of permanent value to the Government and people of Victoria.  

What is 'appraisal'?

Appraisal is the process by which those records that are required for preservation as State Archives are identified by Government agencies.  In PROV's words:

appraisal is a planned and documented process based on research and analysis to provide transparent, reasoned and consistent reasons for the retention or non-retention of records. It is a reasonably complex, judicious and somewhat subjective process that involves the evaluation of the continuing value of records for the government and community against the cost of retaining and keeping the records accessible in perpetuity.

PROV has divided the characteristics of records of enduring value into the following six categories:

1. The authority, establishment and structure of government;
2.  Primary functions and programs of government;
3. Enduring rights and entitlements (of individuals and groups);
4. Significant impact on individuals;
5. Environmental management and change; and
6. Significant contribution to community memory.

Some of these activities and associated records are relatively self-evident.  For example, in respect of the second category, PROV lists the State budget papers as an example of 'Records that illustrate the government's role in the management of the Victorian economy'. 

However other categories, notably the fourth, are potentially more problematic.  Here PROV's guidance is particularly useful in circumstances where appraisal decisions may affect the 'most vulnerable members of Victorian society'.  Records listed as potentially falling into category four include:

• Collections and analyses of data compiled for planning and decision making;
• Representations and appeals against the decisions/actions of government or legislature; and
• Petitions documenting significant community opposition to government actions or policies.

Records not of permanent value

But what about those records appraised as not being of permanent value? All public records must continue to be retained for as long as they're needed to meet Government's administrative needs and legislative requirements, and to support accountability and community expectations. Section 19 of the PR Act has the effect that it is unlawful to dispose of or destroy a public record other than in accordance with a Standard made under s 12.  Minimum periods are set out in the Standards, or Retention and Disposal Authorities, issued by PROV for use by Government agencies.

Retention periods and personal information

Since opinions may differ as to how an individual record should be categorised in light of the Standards, these minimum periods are not without controversy, particularly in light of the requirements of Information Privacy Principle (IPP) 4.2 of the PDP Act (and its predecessor in the Information Privacy Act 2000).  IPP 4.2 requires destruction or permanent de-identification of personal information 'if it is no longer needed for any purpose'. 

The PR Act prevails over IPP 4.2 as a result of s 6 of the PDP Act (and previously s 6 of the IP Act).  Decisions of the Victorian Civil and Administrative Tribunal have accepted that personal information retained pursuant to a requirement of the PR Act is still relevantly 'needed' for a purpose (Caripis v Victoria Police(Health and Privacy) [2012] VCAT 1472; Zeqajv Victoria Police (Human Rights) [2013] VCAT 2105). 

Agencies should therefore be aware that retention of personal information beyond the retention period specified in a relevant Standard increases their risk if a complaint is made under IPP 4.2.  Moreover, when protective data security standards are released this year under the PDP Act, agencies may need to reevaluate the cost of managing any records that they are not required to retain.

If you are in the Victorian Government and would like assistance in respect of your agency's records management or privacy obligations, contact:

Carolyn Doyle

Managing Principal Solicitor

9947 1403

Deidre Missingham

Senior Solicitor

8684 0483

---

WA Supreme Court delivers explicit message on privacy: compensation awarded to Facebook post victim

A woman who was the subject of sexually explicit social media posts by her ex-boyfriend has been awarded almost $50,000 in damages, in a further development of the protection of privacy in Australia.

The facts

In the recent case of Wilson v Ferguson, the plaintiff claimed that her former partner had breached an equitable duty of confidence by posting sexually explicit photographs and videos of her on the internet.

The couple had sent each other explicit photographs over the course of their relationship.  The defendant also took naked photographs of the plaintiff with her consent.  On one occasion, the defendant accessed the plaintiff's phone without her permission and emailed himself videos of the plaintiff engaging in sexual activity.

Following the break-down of the relationship, the defendant posted 16 explicit photographs and two videos of the plaintiff on his Facebook page, along with offensive comments.  The images were accessible to hundreds of the defendant's 'Facebook friends' - many of whom also knew the plaintiff - before they were removed several hours later.

Judgment

The Supreme Court of Western Australia found that the defendant had breached an equitable duty of confidence owed to the plaintiff.  The elements for succeeding in an action for breach of confidence are:

• the information in question was of a confidential nature (i.e., not widely known);
• the information was communicated or obtained in circumstances importing an obligation of confidence; and
• the information was used or disclosed without authorisation.

The Court found that where a person shares intimate photographs in the context of a relationship, it is ordinarily on the implied condition that the photographs are to be kept confidential.  In this case, the plaintiff's expectation that the material be kept private was confirmed in her conversations with the defendant.  The Court also found that by accessing sexually explicit videos from the plaintiff's phone without her knowledge, the defendant was placed under a duty to keep those videos confidential.  The Court was satisfied that posting the material on Facebook was a clear misuse of the confidential information.

A new avenue of redress for victims?

While there are numerous criminal offences which involve breaches of privacy (such as stalking, the use of surveillance devices and the interception of telecommunications), the common law action for breach of privacy remains relatively undeveloped in Australia.   As recently reported by the Australian Law Reform Commission, this means there are limited avenues of redress for persons who have suffered from serious intrusions on their privacy.

Plaintiffs have occasionally brought actions for breach of confidence, where the usual remedy is an injunction to prevent the publication, or further publication, of the confidential information.  Equitable damages have traditionally been awarded for economic loss, but not for distress that falls short of a psychiatric injury.  Accordingly, this cause of action has not been seen as useful for plaintiffs who suffer embarrassment, but no financial harm.

Importantly, in Wilson v Ferguson, the Court not only granted an injunction preventing the defendant from republishing the explicit images of the plaintiff, but also awarded equitable damages of $35,000 to the plaintiff as compensation for the distress caused by the dissemination of the images.  The Court expressly relied upon the 2008 Victorian Court of Appeal decision of Giller v Procopets  in determining that such damages were available.  The defendant was ordered to pay a further $13,404 in equitable damages for economic loss, to cover the plaintiff's time off work following the incident.

As such, this case represents a potentially significant precedent on the award of equitable damages for emotional distress for the misuse of personal information.  If the decision is followed, bringing a legal action for breach of confidence may become a far more attractive avenue of redress for people who have suffered from serious invasions of their privacy where there was an obligation of confidentiality.

A cautionary tale of the use of technology…

One of the Court's key reasons for expanding the award of equitable damages was the recognition that the law needs to keep pace with the use of technology on modern society. As Justice Mitchell remarked, it is not uncommon for people in relationships to use mobile phones to share intimate communications, and the internet is an easily accessible platform to disseminate those communications with the world.  Although the explicit images in this case were removed from the defendant's Facebook page just hours after being posted, the damage had already been done.  The award of almost $50,000 damages against the defendant comes as a timely reminder that comments and postings made online in the spur-of the-moment can have far-reaching 'real world' consequences.

For information on privacy law and related criminal offences, please contact:

Louise Jarrett
Acting Managing Principal Solicitor
louise.jarret@vgso.vic.gov.au 

Amy Galeotti
Solicitor
amy.galeotti@vgso.vic.gov.au

Privacy Bill Passes

This week Victoria’s much anticipated Privacy and Data Protection Bill 2014 (PDP Bill) was passed by the Legislative Council. Once proclaimed, the new Act is set to commence no later than 9 December 2014. 

This Bill repeals the Information Privacy Act 2000 (IP Act) and the Commissioner for Law Enforcement Data Security Act 2005 (CLEDS Act), and creates a new office of the Commissioner for Privacy and Data Protection (Commissioner) with broad powers of oversight and enforcement. The Bill does not affect the existing legislative arrangements whereby Commonwealth agencies and some private sector entities and individuals are subject to the Privacy Act 1988 (Cth) (Commonwealth Privacy Act).  Victoria’s health privacy regime under the Health Records Act 2001 and related legislation is also unaffected by the Bill.

The Bill ushers in a new era with new emphases not only for privacy practitioners but also for public sector body Heads, who will need to pay close attention to their protective data security obligations.

Information Privacy – what’s different, what stays the same?

Provisions of the IP Act that are taken to be re-enacted include:
• Schedule 1, the Information Privacy Principles (IPPs);
• the requirement that public sector organisations generally must not do an act or engage in a practice that contravenes an IPP in respect of personal information they collect, hold, manage, use, disclose or transfer;
• the codes of practice provisions; and
• the information privacy complaints provisions.

A significant departure from the IP Act is the new provision (clause 20(3)) whereby an organisation is not required to comply with the IPPs in relation to an act or practice that is permitted under:

1.  a public interest determination (PID), or a temporary public interest determination (TPID); or
2. an approved information usage arrangement (IUA).

Similarly, under clause 16, for the purposes of this Bill, an act done or a practice engaged in by an organisation interferes with an individual’s privacy only if it is contrary to or inconsistent with an IPP or applicable code of practice, or a PID or TPID, or an IUA, or a current certificate issued pursuant to clause 55.

PIDs and TPIDs

 The Bill permits the Commissioner to make a written determination that where an act or practice of an organisation may or does breach:

• an IPP (other than IPP 4, Data Security, or IPP 6, Access and Correction); or
• an approved code of practice,

 it will not be regarded as an interference with privacy while the relevant determination is in force. TPIDs may be of up to 12 months’ duration.

Before making such a determination, the Commissioner must be satisfied that the public interest in the organisation doing the act or engaging in the practice substantially outweighs the public interest in its adhering to the relevant IPP or IPPs or applicable approved code of practice. This test is substantially the same as in s 72 of the Commonwealth Privacy Act. PIDs and TPIDs can be disallowed by either House of Parliament.

IUAs 

An IUA is an arrangement between permitted parties including organisations, agencies of the Commonwealth, another State or Territory, and private sector bodies that:

1. sets out acts or practices for handling personal information to be undertaken for one or more public purposes as defined; and
2. in respect of any of those acts or practices,
   i. modifies the application of or provides that the practice does not need to comply with an IPP (other than IPPs 4 and 6), or an approved code of practice; and/or
   ii. permits handling of personal information for the purposes of an ‘information handling provision’ – that is, a provision of an Act that permits handling of personal information as ‘authorised or required by law’ or by or under an Act, or in circumstances or for purposes required by law or by or under an Act.

The Bill details the information to be supplied to the Commissioner when an application for approval is submitted by the organisation that is the IUA’s designated ‘lead party’. Before an IUA may be approved by the relevant Minister or Ministers, the Commissioner must prepare a report and certify that the proposed IUA meets the same public interest test as for PIDs and TPIDs. The Commissioner may issue compliance notices in respect of IUAs, and they may be amended or revoked on specified grounds.

Certification

One additional new mechanism provides for the Commissioner to certify that a specified act or practice of an organisation is consistent with an IPP, an approved code of practice or an information handling provision. This should assist organisations where opinions may differ or there may otherwise be doubt as to the legality of a proposed action. The Commissioner’s certification may be reviewed by VCAT, but organisations who act in good faith on the basis of a certification will be protected while it is in force.

Protective data security

The protective data security provisions of Part 4 of the Bill apply, with specified exceptions, to public sector agencies, special bodies within the meaning of section 6 of the Public Administration Act 2004 and any bodies to which the Governor in Council declares them applicable.

‘Public sector data’ as defined is to be protected by a regime consisting of:

• the Victorian protective data security framework, developed by the Commissioner;
• protective data security standards (standards) (which may be either general or customised), to be issued by the Commissioner following approval by the Attorney-General and the Minister for Technology; and
• protective data security plans (plans) based on the security risk profile assessments (risk assessments) to be undertaken by relevant agencies themselves.

A public sector body Head is accountable under the Bill for compliance with protective data security standards in respect of the public sector data their entity collects, holds, manages, uses, discloses and transfers, and for the public sector data systems their entity keeps. Unlike in respect of Part 3, Information Privacy, the Bill does not provide for the Commissioner to have any direct authority over an entity’s contracted service providers (CSPs). Rather, the relevant public sector body Head must ensure that the entity’s CSPs comply with the applicable standards and plans. Plans based on the risk assessments are to be completed within two years after the publication of the standards. These plans must be provided to the Commissioner, and public sector body Heads must ensure that their plans are reviewed if circumstances change, or otherwise every two years.

What about law enforcement data security?

Together with the PDP Bill, the Crime Statistics Bill 2014 (CS Bill) was also passed by the Upper House this week. The security of law enforcement data is separately provided for in Part 5 of the Bill, which applies to Victoria Police and the Chief Statistician, together with the Chief Statistician’s employees or consultants, under section 6 of the CS Bill.  The Bill provides for the Commissioner to issue law enforcement data security standards (law enforcement data security standards), and it is intended that there be no gap in the application of the existing 2007 law enforcement data standards under the CLEDS Act and those provided for under the Bill. To the extent that there is any inconsistency between a law enforcement data security standard and a standard, the law enforcement data security standard prevails.

Part 6 of the Bill gives the Commissioner significant powers to require access to data, data systems and crime statistics data and to take copies or extracts of that data. If, in the course of conducting a compliance audit in respect of Parts 4 and 5 of the Bill, the Commissioner considers that any matter requires urgent attention, it may be referred to appropriate persons or bodies including the Ombudsman, the Director of Public Prosecutions and the Independent Broad-based Anti-corruption Commission (IBAC). The Commissioner may in any case disclose any information obtained in connection with the Commissioner’s functions to the IBAC if the information is relevant to functions or duties of the IBAC.

If you are in the Victorian Government and would like assistance to ensure that your agency’s privacy practices comply with the IP Act, or for advice concerning the imminent new Act, call:

Carolyn Doyle
 Managing Principal Solicitor
 carolyn.doyle@vgso.vic.gov.au
 9947 1403

Deidre Missingham
 Senior Solicitor
 deidre.missingham@vgso.vic.gov.au
 8684 0483

Privacy and Data Protection Bill 2014 Workshops for the Victorian  Public Sector 

VGSO has held a number of small-group workshops to assist clients to understand the scope of their obligations under the Bill.

Places are still available for the final workshop on Friday 29 August 2014 via www.vgso.vic.gov.au .

To request information about customised training or join the waitlist for future workshops please contact Carrie Anderson 9947 1446 or carrie.anderson@vgso.vic.gov.au.

Privacy Bill Goes Public

This week Victoria’s much anticipated Privacy and Data Protection Bill 2014 (PDP Bill) was introduced into Parliament, and second-read yesterday by the Attorney-General. The Bill reflects the Government’s 2012 commitment to strengthening the protection of personal and other information handled by Victorian government agencies.

This Bill repeals the Information Privacy Act 2000 (IP Act) and the Commissioner for Law Enforcement Data Security Act 1995 (CLEDS Act), and creates a new office of the Commissioner for Privacy and Data Protection (Commissioner) with broad powers of oversight and enforcement. The Bill does not affect the existing legislative arrangements whereby Commonwealth agencies and some private sector entities and individuals are subject to the Privacy Act 1988 (Cth) (Commonwealth Privacy Act).  Victoria’s health privacy regime under the Health Records Act 2001 and related legislation is also unaffected by the Bill.

Nevertheless, if the Bill is passed and assented to, it will usher in a new era with new emphases not only for privacy practitioners but also for public sector body Heads, who will need to pay close attention to their protective data security obligations.

Information Privacy – what’s different, what stays the same?

Provisions of the IP Act that are taken to be re-enacted include:

• Schedule 1, the Information Privacy Principles (IPPs);
• the requirement that public sector organisations generally must not do an act or engage in a practice that contravenes an IPP in respect of personal information they collect, hold, manage, use, disclose or transfer;
• the codes of practice provisions; and
• the information privacy complaints provisions.

A significant departure from the IP Act is the new provision (clause 20(3)) whereby an organisation is not required to comply with the IPPs in relation to an act or practice that is permitted under:

1. a public interest determination (PID), or a temporary public interest determination (TPID); or
2. an approved information usage arrangement (IUA).

Similarly, under clause 16, for the purposes of this Bill, an act done or a practice engaged in by an organisation interferes with an individual’s privacy only if it is contrary to or inconsistent with an IPP or applicable code of practice, or a PID or TPID, or an IUA, or a current certificate issued pursuant to clause 55.

PIDs and TPIDs

The Bill permits the Commissioner to make a written determination that where an act or practice of an organisation may or does breach:

• an IPP (other than IPP 4, Data Security, or IPP 6, Access and Correction); or
• an approved code of practice,

it will not be regarded as an interference with privacy while the relevant determination is in force. TPIDs may be of up to 12 months’ duration.

Before making such a determination, the Commissioner must be satisfied that the public interest in the organisation doing the act or engaging in the practice substantially outweighs the public interest in its adhering to the relevant IPP or IPPs or applicable approved code of practice. This test is substantially the same as in s 72 of the Commonwealth Privacy Act. PIDs and TPIDs can be disallowed by either House of Parliament.

IUAs 

An IUA is an arrangement between permitted parties including organisations, agencies of the Commonwealth, another State or Territory, and private sector bodies that:

1. sets out acts or practices for handling personal information to be undertaken for one or more public purposes as defined; and
2. in respect of any of those acts or practices,
   i. modifies the application of or provides that the practice does not need to comply with an IPP (other than IPPs 4 and 6), or an approved code of practice; and/or
   ii. permits handling of personal information for the purposes of an ‘information handling provision’ – that is, a provision of an Act that permits handling of personal information as ‘authorised or required by law’ or by or under an Act, or in circumstances or for purposes required by law or by or under an Act.

The Bill details the information to be supplied to the Commissioner when an application for approval is submitted by the organisation that is the IUA’s designated ‘lead party’. Before an IUA may be approved by the relevant Minister or Ministers, the Commissioner must prepare a report and certify that the proposed IUA meets the same public interest test as for PIDs and TPIDs. The Commissioner may issue compliance notices in respect of IUAs, and they may be amended or revoked on specified grounds.

Certification

One additional new mechanism provides for the Commissioner to certify that a specified act or practice of an organisation is consistent with an IPP, an approved code of practice or an information handling provision. This should assist organisations where opinions may differ or there may otherwise be doubt as to the legality of a proposed action. The Commissioner’s certification may be reviewed by VCAT, but organisations who act in good faith on the basis of a certification will be protected while it is in force.

Protective data security

The protective data security provisions of Part 4 of the Bill apply, with specified exceptions, to public sector agencies, special bodies within the meaning of section 6 of the Public Administration Act 2004 and any bodies to which the Governor in Council declares them applicable.

‘Public sector data’ as defined is to be protected by a regime consisting of:

• the Victorian protective data security framework, developed by the Commissioner;
• protective data security standards (standards) (which may be either general or customised), to be issued by the Commissioner following approval by the Attorney-General and the Minister for Technology; and
• protective data security plans (plans) based on the security risk profile assessments (risk assessments) to be undertaken by relevant agencies themselves.

A public sector body Head is accountable under the Bill for compliance with protective data security standards in respect of the public sector data their entity collects, holds, manages, uses, discloses and transfers, and for the public sector data systems their entity keeps. Unlike in respect of Part 3, Information Privacy, the Bill does not provide for the Commissioner to have any direct authority over an entity’s contracted service providers (CSPs). Rather, the relevant public sector body Head must ensure that the entity’s CSPs comply with the applicable standards and plans. Plans based on the risk assessments are to be completed within two years after the publication of the standards. These plans must be provided to the Commissioner, and public sector body Heads must ensure that their plans are reviewed if circumstances change, or otherwise every two years.

What about law enforcement data security?

Together with the Bill, the Crime Statistics Bill 2014 has also been introduced in to Parliament. The security of law enforcement data is separately provided for in Part 5 of the Bill, which applies to Victoria Police and the Chief Statistician, together with the Chief Statistician’s employees or consultants, under section 6 of the Crime Statistics Bill.  The Bill provides for the Commissioner to issue law enforcement data security standards (law enforcement data security standards), and it is intended that there be no gap in the application of the existing 2007 law enforcement data standards under the CLEDS Act and those provided for under the Bill. To the extent that there is any inconsistency between a law enforcement data security standard and a standard, the law enforcement data security standard prevails.

Part 6 of the Bill gives the Commissioner significant powers to require access to data, data systems and crime statistics data and to take copies or extracts of that data. If, in the course of conducting a compliance audit in respect of Parts 4 and 5 of the Bill, the Commissioner considers that any matter requires urgent attention, it may be referred to appropriate persons or bodies including the Ombudsman, the Director of Public Prosecutions and the Independent Broad-based Anti-corruption Commission (IBAC). The Commissioner may in any case disclose any information obtained in connection with the Commissioner’s functions to the IBAC if the information is relevant to functions or duties of the IBAC.

This Bill is yet to be debated in Parliament, and is sure to attract considerable public attention and comment over the coming weeks. Meanwhile, if you are in the Victorian Government and would like assistance to ensure that your agency’s privacy practices comply with the IP Act, call:

Carolyn Doyle
Managing Principal Solicitor
carolyn.doyle@vgso.vic.gov.au
9947 1403

Deidre Missingham
Senior Solicitor
deidre.missingham@vgso.vic.gov.au

 Forthcoming seminar for the Victorian Public Sector 

VGSO is delighted to announce that the speaker at our seminar on 22 July will be David Watts, who is currently the Acting Privacy Commissioner and CLEDS Commissioner. Also presenting will be Deidre Missingham who, on secondment from the VGSO to the Department of Justice, was the Senior Legal Policy Officer and principal instructor in relation to the new Bill.

To reserve a seat at this seminar, please contact VGSO via marketing.team@vgso.vic.gov.au.

 Privacy and Data Protection Bill 2014 Workshops for the Victorian  Public Sector 

VGSO is holding small-group workshops on the following dates to assist clients to understand the scope of their obligations under this new Bill.
• Friday 8 August
• Monday 11 August
• Friday 15 August
• Tuesday 19 August

To register your interest in these workshops please contact Carrie Anderson 9947 1446 or carrie.anderson@vgso.vic.gov.au.

Commonwealth Privacy Reform - time to get APP-y

12 March 2014 sees the commencement of long-awaited changes to the Privacy Act 1988(Cth) (Privacy Act). On 12 March 2013, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 comes into effect. It represents a watershed moment in the Commonwealth privacy law reform process, which commenced some 10 years earlier. 

Victorian agencies remain subject to the Information Privacy Act 2000 (Vic). That hasn't changed. What will change is how the Privacy Act applies to Commonwealth agencies, some businesses and individuals and what the Australian Information Commissioner can now do to enforce the Privacy Act. 

So what's going to change?

From 12 March 2014, there will be three significant changes: 

1. 13 Australian Privacy Principles will replace the Information Privacy Principles and National Privacy Principles; 
2. Credit reporting laws will change to allow more credit information to be shared between credit providers; and 
3. The Australian Information Commissioner's regulatory and enforcement powers will be strengthened. 

1. Australian Privacy Principles

For the first time, a set of 13 harmonised privacy principles, the Australian Privacy Principles (APPs) will apply to Australian government agencies and some private businesses. Up until 12 March 2014, agencies were subject to the Information Privacy Principles (IPPs) and businesses were subject to the National Privacy Principles (NPPs).

The APPs make significant changes to some of the privacy principles that were embodied in the IPPs and NPPs. They are more comprehensive than their predecessors, and more rigorous in what agencies and businesses must do to comply. These new APPs have been designed to respond to changes in information technology and emerging privacy issues and aim to address changes in privacy law.

Under the new APPs, agencies and providers will need to maintain and make available, a comprehensive privacy management policy, an APP Privacy Policy. It must include information such as the kinds of personal information the entity collects or holds, how it collects and holds it and for what purposes, how an individual may access their information, and information of the entity's complaints handling and resolution processes. The APPs also specifically deal with opting-out of direct marketing, dealing with unsolicited information and cross-border data flows.

What will the APPs mean for Victorian agencies?

Victorian agencies should keep these changes in mind when dealing  their Commonwealth counterparts or private entities who are subject to the Privacy Act.  There are some key points for Victorian agencies:

Victorian government Departments or agencies are not required to comply with the APPs, even under any contracts they have with Commonwealth agencies.  This is because State or Territory authorities are not 'organisations' that can be 'contracted service providers' or 'APP entities' under the Privacy Act.

The APPs won't apply directly to organisations who are contracted service providers to Victorian government agencies with respect to what they do for the purposes of meeting their contractual obligations to the agency.  Victorian government contracted service providers are still subject to the IP Act. However, Victorian government agencies should review their contracts with contracted service providers to see whether those providers have referred specifically to NPPs and if so, agencies should vary those contracts to replace these NPPs with the appropriate APP.

There are more circumstances in which APP entities can disclose personal information to Victorian agencies, if the disclosure to the Victorian agency is not related to the primary purpose of collecting that personal information.  APP entities can disclose personal information in 'permitted general situations' specified in the Privacy Act.  These permitted general situations could apply to Victorian agencies working with Commonwealth agencies to assist them in their functions: for example, an APP entity may disclose personal information if the entity has reason to suspect that unlawful activity or misconduct of a serious nature relating to the entity's functions has been, is being, or may be engaged in, and it reasonably believes that the disclosure is necessary for it to take appropriate action in relation to that matter. 

The Office of the Australian Information Commissioner has produced Guidelines to support entities' compliance with the APPs.

2. Credit reporting law changes

Under the new Part IIIA of the Privacy Act, credit reporting arrangements will allow for more information to be included in an individual's credit report. From 12 March, information about an individual's current credit commitments and repayment history over the previous two years will be made available to, and can be transferred between, licensed credit providers. If an adult defaults on a credit repayment of over $150, this information can be shared between providers and considered the next time the adult wishes to obtain a credit card, home loan or other credit facility.

In addition to credit repayment information, licensed providers will be able to collect and disclose information about a person's credit type, credit limit, terms and conditions of the credit facility, and the day on which the credit facility commenced and ceases.

3. Australian Information Commissioner with enhanced powers

The Australian Information Commissioner will have a suite of enhanced regulatory and enforcement powers (which would generally be exercised by the Privacy Commissioner). Under the changes, the Australian Information Commissioner will be able to: 

• assess agencies' privacy management processes and systems;
• assess agencies' compliance with the APPs;
• accept enforceable undertakings from entities to act or to refrain from acting in a particular way; 
• apply to the courts to compel an entity to comply with an enforceable undertaking; and 
• apply to the courts for civil penalty orders: in serious cases or for repeated breaches, civil penalties can be sought for up to $1.7 million. 

Commonwealth privacy amendments will certainly receive much public attention this month. Victoria will have its turn later this year when amendments to the Information Privacy Act 2000 (Vic) and the Commissioner for Law Enforcement Data Security Act 2005 (Vic) are introduced. VGSO will be providing guidance and training on these amendments following their introduction into Parliament in coming months. 

Of course, privacy is a matter to which agencies must give their attention throughout each year. If you are in the Victorian Government and would like assistance to ensure your agency's privacy practices comply with the Information Privacy Act 2000 (Vic), or if you would like to discuss changes to the Privacy Act, call:

Joanne Kummrow

Special Counsel

8684 0462

Katie Miller

Managing Principal Solicitor

8684 0460

Steven Brnovic

Senior Solicitor

8684 0453

Time to spring-clean your privacy policy?

Big reforms are afoot in federal privacy law.  They don’t change Victorian law but they do give Victorian agencies some reasons to spring-clean their privacy policies.

Federal changes

From 12 March 2014, the Australian Privacy Principles (APPs) will apply to private sector organisations and Commonwealth Government agencies.

The APPs are a single set of principles that will replace the separate sets of public and private sector principles at the federal level, known as the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) respectively.

These are the most significant amendments to the Privacy Act 1988 (Cth) since its commencement.  Most of the APPs are based on the existing IPPs and NPPs.  However, the APPs also include some significant changes in order to keep pace with changing technology, emerging privacy issues and developments in privacy law in Australia and internationally.

What does this mean for State government entities?

These reforms don’t change Victorian law.  However, it is an important development for the Victorian government to monitor because:

• it affects the privacy rights of individual Victorians; and
• if the move toward national uniform legislation proposed by the previous federal Government proceeds, it could ultimately affect the privacy obligations of Victorian public sector bodies.

The privacy principles in the Information Privacy Act 2000 (Vic) and the Health Records Act 2001 (Vic), which apply to the handling of personal information and health information by the Victorian public sector, are both adapted from the NPPs.  This was done, as explained in the Explanatory Memorandum to the IP Act, to maintain as ‘much consistency as possible’ with ‘perceptions and practice already operating nationally’.

Because the Victorian principles are based on the NPPs rather than the IPPs, the obligations of Victorian government agencies are, in many respects, similar to those that private sector organisations and Commonwealth government agencies will now have to comply with.  Victorian agencies have long been required to:

• have a clear and accessible policy about the management of personal information by the agency; and
• provide individuals with the option of not identifying themselves when entering transactions with the agency.

Other requirements of the APPs do not explicitly feature in Victorian law.  These include new obligations when an entity receives unsolicited information or engages in direct marketing.

Privacy policies

Although these new federal privacy reforms do not directly affect the privacy obligations of the Victorian public sector, there are two reasons why Victorian agencies might want to review their current privacy policies.

Firstly, whilst VIPP 5 has long required Victorian public sector organisations to have clearly expressed policies on managing personal information, the new APP 1 is far more prescriptive as to what an agency’s privacy policy should specify.  It requires privacy policies to contain the following information:

the kinds of personal information that the entity collects and holds;

how the entity collects and holds personal information;

the purposes for which the entity collects, holds, uses and discloses personal information;

how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;

how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;

whether the entity is likely to disclose personal information to overseas recipients;

if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Further guidance on each of these items is set out in the draft guideline for APP 1.

Given that the previous acting Victorian Privacy Commissioner wrote approvingly of the level of detail in APP 1, it would be a worthwhile exercise for Victorian agencies to consider if their policies match these more prescriptive requirements.

Secondly, the Office of the Australian Information Commissioner (OAIC) has recently conducted a ‘privacy sweep’ of the websites most used by Australians.  It assessed nearly 50 website privacy policies for accessibility, readability and content. 

The OAIC found that most sites had issues with either readability, provision of contacts for further information, relevance or length.  In particular, it was concerned that the average length of policies was over 2600 words, which it considered was too long for people to understand the key points.

The OAIC helpfully identified the following characteristics of the better privacy policies, which might be of interest to Victorian agencies thinking of updating their privacy policies:

Some of the best examples observed during the sweep were policies that made efforts to present the information in a way that was easily understandable and readable to the average person.  This was accomplished through the use of plain language; clear and concise explanations; and the use of headers, short paragraphs, FAQs, and tables, among other methods.

Most organisations included contact information for the particular individual responsible for privacy practices.  Providing more than one option for contacting that individual (eg mail, toll-free number and email) is a thoughtful way of ensuring there are no barriers to contacting an organisation about its privacy practices.

Some policies had been tailored for mobile apps and sites, going beyond simply providing a hyperlink to an organisation's existing website privacy policy.

In some instances, organisations provided both a simplified and full policy to assist their customers to understand what will happen to their personal information.

If you are in the Victorian government and would like advice on these developments or your privacy policy, please contact:

Carolyn Doyle
Principal Solicitor
t 9032 3038
carolyn.doyle@vgso.vic.gov.au